Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Network Trojan detected? How do I remove?

H

Hypnosis

macrumors member
Original poster
Jun 16, 2015
40
4
Got a message from my school's Internet department saying they detected a pushdo Trojan (network Trojan). I've run a full system scan and nothing showed up. Is there anything I can do to pinpoint this thing and delete it? I am very cautious about what I open in e-mails and online, so I'm really confused and embarrassed that this happened.


Here's the specific information that was provided (if it helps):

2016-02-26-05:11:02 UTC [**] [1:2019235:1]CUSTOMSEC -- AUTOBLOCKSAFE -- TROJAN Pushdo v3 Checkin [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} %my IP% -> 8.42.17.194:443
 
Is it the school IT department's policy to send out these kinds of messages and let the recipient deal with it?

"Pushdo" is Windows-only, I'm pretty sure. Are you running Windows on your Mac in any way? Is that your IP address? Has there been a Windows machine connected there?
 
  • Like
Reactions: chabig
BrianBaughn said:
Is it the school IT department's policy to send out these kinds of messages and let the recipient deal with it?

"Pushdo" is Windows-only, I'm pretty sure. Are you running Windows on your Mac in any way? Is that your IP address? Has there been a Windows machine connected there?
Click to expand...

Really? No Windows currently and never has been one. That is not my IP address. I blocked my IP address; I'm guessing thats the IP address that the network is sending all the traffic to? I'm not quite sure how Pushdo trojans work. Also, yes, they require us to have antimalware and antivirus installed. They told me to just scan and it'll unblock. The next time it happens, I'll have to go for a physical appointment to get my laptop checked.

Dwayne82 said:
Did you scan for malware with a scanner like this one (Malwarebytes Anti Malware)?
Click to expand...

Yes, I did a full system scan using Avast. Nothing was found.
 
Hypnosis said:
Really? No Windows currently and never has been one. That is not my IP address. I blocked my IP address; I'm guessing thats the IP address that the network is sending all the traffic to? I'm not quite sure how Pushdo trojans work. Also, yes, they require us to have antimalware and antivirus installed. They told me to just scan and it'll unblock. The next time it happens, I'll have to go for a physical appointment to get my laptop checked.



Yes, I did a full system scan using Avast. Nothing was found.
Click to expand...
Avast couldn't find its ass with both hands.

Anyway, it's a Windows only Trojan, if you are not running Windows in boot amp or a vm then it's not you that's caused the report, probably another user that had your IP before you.
 
  • Like
Reactions: chabig and Ursadorable
The network intrusion detection appliance they have running there detected allegedly malicious code being communicated from "my IP" (ie: your Mac) with http://8.42.17.194:443/.

Whois report on that IP says it's a runescape server.

Most likely a red herring, so just do what they told you to do and you'll probably be unblocked.

I've had intrusion detection appliances detect that I was torrenting once, but it was just a Cygwin terminal opened up with an xterm session to an AIX server elsewhere on the network.

False positives happen now and then. It's possible this could be one of those times. Then again, it's also possible that your school has a policy against playing games with school network resources, and block traffic of that nature, but given that it says it detected a Trojan, the former is more likely ... Unless they purposefully setup the security appliance for some reason to send that specific message when it blocks runescape traffic. I can't see why they'd do that, unless one of the admins has a sense of humour and likes to see their users squirm (wouldn't be the first time I've seen that.)
 
Last edited:
Hypnosis said:
Yes, I did a full system scan using Avast. Nothing was found.
Click to expand...
Avast is good in scanning for Viruses (it scans also for Windows Viruses, because a Mac can be a carrier of windows viruses and can affect windows-machines) Troyans could be found by avast, but not necessairily. The malware scan finds those kind of "infections" better.
 
duervo said:
The network intrusion detection appliance they have running there detected allegedly malicious code being communicated from "my IP" (ie: your Mac) with http://8.42.17.194:443/.

Whois report on that IP says it's a runescape server.

Most likely a red herring, so just do what they told you to do and you'll probably be unblocked.

I've had intrusion detection appliances detect that I was torrenting once, but it was just a Cygwin terminal opened up with an xterm session to an AIX server elsewhere on the network.

False positives happen now and then. It's possible this could be one of those times. Then again, it's also possible that your school has a policy against playing games with school network resources, and block traffic of that nature, but given that it says it detected a Trojan, the former is more likely ... Unless they purposefully setup the security appliance for some reason to send that specific message when it blocks runescape traffic. I can't see why they'd do that, unless one of the admins has a sense of humour and likes to see their users squirm (wouldn't be the first time I've seen that.)
Click to expand...

That must be it. My roommate went on my MBP to log into his game account because his was being repaired at a computer shop. I got the message a few minutes after he got off. He launched the game's client through Terminal. It might have had to do something with that.

Ursadorable said:
AVAST is one of the worst AV packages out there, I've had to replace it on our corporate computers because it misses so much, and reports tons of false positives.
Click to expand...

I have to download Avast or Avira (as forced by my school) in order to gain WiFi access. Would Avira be better?
 
Use Avira Free. Avast, in addition to missing targets, is sort of a resource hog.
 
duervo said:
Use Avira Free. Avast, in addition to missing targets, is sort of a resource hog.
Click to expand...

Okay. Also I just got another email from the IT department. Another false positive. The same thing happened. Launched the game client and a few minutes later, I get kicked off. Do you have any idea why the game client is causing this? I've never heard of something like this before...
 
Probably against the TOS for the school network. It's pretty common to disallow gaming traffic on school networks. The security appliance could be incorrectly detecting the runescape traffic as Trojan-type too. When they told you to do the AV scan, they most likely just sent you a canned response, and didn't even examine the report any closer than seeing the word "Trojan" in the header.

If you feel it is allowed, and they are blocking you inadvertently, then call their help desk and explain the situation to them. Tell them that their intrusion detection system appears to be misinterpreting traffic from runescape client on your system as a Trojan/malware.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back