I'm hoping you guys can help me out with something I've seen lately. I've had several clients get notified by their ISP via email that a trojan was detected via their IP address. These emails suggest scanning computers in their home with special tools, and then have links to those tools.

Every time I've seen these emails, I've scanned my clients computers with my usual AV tools (which are pretty thorough and powerful) and found nothing. I've tried a couple of the tools the email recommends, as the links appear completely genuine and link to sites like Microsoft.com and Symantec.com. I've not clicked on the links directly, but I've gone to the sites and found the tools myself. None of those scans have ever found any trace of the trojan they're claiming.

Just to be safe, I'll explain that the trojan is named after the Greek god of thunder. I don't want these forums to have any association with this thing on the internet.

The ISP in question is, I believe, always Cox. The email comes from what seems like a legit Cox email address, all of the links seem to have no problems, and I can't see where the scam would be here. I'm pretty sure it's NOT a scam, because I had one client get her internet access suspended twice because Cox continued to detect the trojan on her IP address, despite repeated assurances that we had scanned all the computers with the tools they recommended!

I'm asking this because I just had another client ask me about the email she got from Cox, and I'm happy to scan her computer but I know I'm going to find nothing. Every time I've seen someone discuss this on the web, it's been the same exact story: letter from Cox, scans found nothing.

Any idea what could be happening here?

This one? Wikipedia link to Zeus Malware

I don't have any specific tips to share, though I'm fine with the name of an awesome Greek god being here

I wonder, if it's even true that they can detect a virus remotely, if the virus is residing on their modem/router and not on the clients' computers.

My guess would be that ISPs could probably work out the difference only if they had admin access into the home router.

Ever since the Code Red/Nimda viral outbreaks that quashed many major networks, cable providers ended up adding a lot of scanning security tech to their networks. These days it's been handy at detecting the non viral kind like the Zeus malware too. I scope this to cable modem networks due to Code Red hiting them particularly hard. This was due to some subnetting practices back then that essentially had neighborhoods running more like a LAN. ISDN/DSL variants of broadband were a little more protected by default from Code Red/Nimda but not by much. Ultimately the rise of home routers added a lot of security via obscurity due to hiding peoples computers behind NAT.

Somewhere I may still have logs from my home linux server that show how bad @Home cable internet was being hammered by those Windows only virus infection attempts.

Basics of their security tech is that it knows the command and control servers or other malware infrastructure, and sees when customers are making repeated routing requests to those destinations. This has led to some cat and mouse games, as initially malware would have specific ports it used. These days, I wouldn't be surprised if the more difficult kind of malware is routing it's C&C traffic through tor or torrent like networks. It's long been a common practice to route C&C traffic into IRC or other similar mediums to try and avoid detection.

My exposure to security risks in the 90s at ISPs I helped run, and the light security work I did for a cancelled MMO really helped me appreciate not getting into InfoSec full time.

Some Cox (Comcast and Cablevision, too) wifi routers broadcast public hotspots as part of their residential/small business package. Is it possible these hotspots are the source?

http://arstechnica.com/tech-policy/2014/...ublic-hotspots/

I can see two xfinity hotspots from my house...

-jk

I've seen that on Comcast routers, but I don't think Cox is doing that.

So far, my advice is usually to wait and see if they get a second notice. If the ISP is insistent, then I scan their computers, and never find anything.