Network Trojan detected? How do I remove?

Hypnosis · Feb 25, 2016

Got a message from my school's Internet department saying they detected a pushdo Trojan (network Trojan). I've run a full system scan and nothing showed up. Is there anything I can do to pinpoint this thing and delete it? I am very cautious about what I open in e-mails and online, so I'm really confused and embarrassed that this happened.

Here's the specific information that was provided (if it helps):

2016-02-26-05:11:02 UTC [**] [1:2019235:1]CUSTOMSEC -- AUTOBLOCKSAFE -- TROJAN Pushdo v3 Checkin [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} %my IP% -> 8.42.17.194:443

Dwayne82 · Feb 26, 2016

Did you scan for malware with a scanner like this one (Malwarebytes Anti Malware)?

BrianBaughn · Feb 26, 2016

Is it the school IT department's policy to send out these kinds of messages and let the recipient deal with it?

"Pushdo" is Windows-only, I'm pretty sure. Are you running Windows on your Mac in any way? Is that your IP address? Has there been a Windows machine connected there?

Hypnosis · Feb 26, 2016

BrianBaughn said:
Is it the school IT department's policy to send out these kinds of messages and let the recipient deal with it?

"Pushdo" is Windows-only, I'm pretty sure. Are you running Windows on your Mac in any way? Is that your IP address? Has there been a Windows machine connected there?

Really? No Windows currently and never has been one. That is not my IP address. I blocked my IP address; I'm guessing thats the IP address that the network is sending all the traffic to? I'm not quite sure how Pushdo trojans work. Also, yes, they require us to have antimalware and antivirus installed. They told me to just scan and it'll unblock. The next time it happens, I'll have to go for a physical appointment to get my laptop checked.

Dwayne82 said:
Did you scan for malware with a scanner like this one (Malwarebytes Anti Malware)?

Yes, I did a full system scan using Avast. Nothing was found.

Marshall73 · Feb 26, 2016

Hypnosis said:
Really? No Windows currently and never has been one. That is not my IP address. I blocked my IP address; I'm guessing thats the IP address that the network is sending all the traffic to? I'm not quite sure how Pushdo trojans work. Also, yes, they require us to have antimalware and antivirus installed. They told me to just scan and it'll unblock. The next time it happens, I'll have to go for a physical appointment to get my laptop checked.

Yes, I did a full system scan using Avast. Nothing was found.

Avast couldn't find its ass with both hands.

Anyway, it's a Windows only Trojan, if you are not running Windows in boot amp or a vm then it's not you that's caused the report, probably another user that had your IP before you.

duervo · Feb 26, 2016

The network intrusion detection appliance they have running there detected allegedly malicious code being communicated from "my IP" (ie: your Mac) with http://8.42.17.194:443/.

Whois report on that IP says it's a runescape server.

Most likely a red herring, so just do what they told you to do and you'll probably be unblocked.

I've had intrusion detection appliances detect that I was torrenting once, but it was just a Cygwin terminal opened up with an xterm session to an AIX server elsewhere on the network.

False positives happen now and then. It's possible this could be one of those times. Then again, it's also possible that your school has a policy against playing games with school network resources, and block traffic of that nature, but given that it says it detected a Trojan, the former is more likely ... Unless they purposefully setup the security appliance for some reason to send that specific message when it blocks runescape traffic. I can't see why they'd do that, unless one of the admins has a sense of humour and likes to see their users squirm (wouldn't be the first time I've seen that.)

Dwayne82 · Feb 27, 2016

Hypnosis said:
Yes, I did a full system scan using Avast. Nothing was found.

Avast is good in scanning for Viruses (it scans also for Windows Viruses, because a Mac can be a carrier of windows viruses and can affect windows-machines) Troyans could be found by avast, but not necessairily. The malware scan finds those kind of "infections" better.

Ursadorable · Feb 28, 2016

Marshall73 said:
Avast couldn't find its ass with both hands.

Dwayne82 said:
Avast is good in scanning for Viruses

AVAST is one of the worst AV packages out there, I've had to replace it on our corporate computers because it misses so much, and reports tons of false positives.

Hypnosis · Feb 29, 2016

duervo said:
The network intrusion detection appliance they have running there detected allegedly malicious code being communicated from "my IP" (ie: your Mac) with http://8.42.17.194:443/.

Whois report on that IP says it's a runescape server.

Most likely a red herring, so just do what they told you to do and you'll probably be unblocked.

I've had intrusion detection appliances detect that I was torrenting once, but it was just a Cygwin terminal opened up with an xterm session to an AIX server elsewhere on the network.

False positives happen now and then. It's possible this could be one of those times. Then again, it's also possible that your school has a policy against playing games with school network resources, and block traffic of that nature, but given that it says it detected a Trojan, the former is more likely ... Unless they purposefully setup the security appliance for some reason to send that specific message when it blocks runescape traffic. I can't see why they'd do that, unless one of the admins has a sense of humour and likes to see their users squirm (wouldn't be the first time I've seen that.)

That must be it. My roommate went on my MBP to log into his game account because his was being repaired at a computer shop. I got the message a few minutes after he got off. He launched the game's client through Terminal. It might have had to do something with that.

Ursadorable said:
AVAST is one of the worst AV packages out there, I've had to replace it on our corporate computers because it misses so much, and reports tons of false positives.

I have to download Avast or Avira (as forced by my school) in order to gain WiFi access. Would Avira be better?

duervo · Feb 29, 2016

Use Avira Free. Avast, in addition to missing targets, is sort of a resource hog.

Hypnosis · Feb 29, 2016

duervo said:
Use Avira Free. Avast, in addition to missing targets, is sort of a resource hog.

Okay. Also I just got another email from the IT department. Another false positive. The same thing happened. Launched the game client and a few minutes later, I get kicked off. Do you have any idea why the game client is causing this? I've never heard of something like this before...

duervo · Feb 29, 2016

Probably against the TOS for the school network. It's pretty common to disallow gaming traffic on school networks. The security appliance could be incorrectly detecting the runescape traffic as Trojan-type too. When they told you to do the AV scan, they most likely just sent you a canned response, and didn't even examine the report any closer than seeing the word "Trojan" in the header.

If you feel it is allowed, and they are blocking you inadvertently, then call their help desk and explain the situation to them. Tell them that their intrusion detection system appears to be misinterpreting traffic from runescape client on your system as a Trojan/malware.

Search

Search

Network Trojan detected? How do I remove?

Hypnosis

macrumors member

Dwayne82

macrumors member

BrianBaughn

macrumors G3

Hypnosis

macrumors member

Marshall73

macrumors 68030

duervo

macrumors 68020

Dwayne82

macrumors member

Ursadorable

macrumors 6502a

Hypnosis

macrumors member

duervo

macrumors 68020

Hypnosis

macrumors member

duervo

macrumors 68020

Our Staff