Network Trojan detected? How do I remove?

Discussion in 'Mac Basics and Help' started by Hypnosis, Feb 25, 2016.

  1. Hypnosis macrumors member

    Joined:
    Jun 16, 2015
    #1
    Got a message from my school's Internet department saying they detected a pushdo Trojan (network Trojan). I've run a full system scan and nothing showed up. Is there anything I can do to pinpoint this thing and delete it? I am very cautious about what I open in e-mails and online, so I'm really confused and embarrassed that this happened.


    Here's the specific information that was provided (if it helps):

    2016-02-26-05:11:02 UTC [**] [1:2019235:1]CUSTOMSEC -- AUTOBLOCKSAFE -- TROJAN Pushdo v3 Checkin [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} %my IP% -> 8.42.17.194:443
     
  2. Dwayne82 macrumors member

    Joined:
    May 16, 2015
    Location:
    Switzerland
    #2
    Did you scan for malware with a scanner like this one (Malwarebytes Anti Malware)?
     
  3. BrianBaughn macrumors 601

    BrianBaughn

    Joined:
    Feb 13, 2011
    Location:
    Baltimore, Maryland
    #3
    Is it the school IT department's policy to send out these kinds of messages and let the recipient deal with it?

    "Pushdo" is Windows-only, I'm pretty sure. Are you running Windows on your Mac in any way? Is that your IP address? Has there been a Windows machine connected there?
     
  4. Hypnosis thread starter macrumors member

    Joined:
    Jun 16, 2015
    #4
    Really? No Windows currently and never has been one. That is not my IP address. I blocked my IP address; I'm guessing thats the IP address that the network is sending all the traffic to? I'm not quite sure how Pushdo trojans work. Also, yes, they require us to have antimalware and antivirus installed. They told me to just scan and it'll unblock. The next time it happens, I'll have to go for a physical appointment to get my laptop checked.

    Yes, I did a full system scan using Avast. Nothing was found.
     
  5. Marshall73 macrumors 6502a

    Marshall73

    Joined:
    Apr 20, 2015
    #5
    Avast couldn't find its ass with both hands.

    Anyway, it's a Windows only Trojan, if you are not running Windows in boot amp or a vm then it's not you that's caused the report, probably another user that had your IP before you.
     
  6. duervo, Feb 26, 2016
    Last edited: Feb 26, 2016

    duervo macrumors 68000

    duervo

    Joined:
    Feb 5, 2011
    #6
    The network intrusion detection appliance they have running there detected allegedly malicious code being communicated from "my IP" (ie: your Mac) with http://8.42.17.194:443/.

    Whois report on that IP says it's a runescape server.

    Most likely a red herring, so just do what they told you to do and you'll probably be unblocked.

    I've had intrusion detection appliances detect that I was torrenting once, but it was just a Cygwin terminal opened up with an xterm session to an AIX server elsewhere on the network.

    False positives happen now and then. It's possible this could be one of those times. Then again, it's also possible that your school has a policy against playing games with school network resources, and block traffic of that nature, but given that it says it detected a Trojan, the former is more likely ... Unless they purposefully setup the security appliance for some reason to send that specific message when it blocks runescape traffic. I can't see why they'd do that, unless one of the admins has a sense of humour and likes to see their users squirm (wouldn't be the first time I've seen that.)
     
  7. Dwayne82 macrumors member

    Joined:
    May 16, 2015
    Location:
    Switzerland
    #7
    Avast is good in scanning for Viruses (it scans also for Windows Viruses, because a Mac can be a carrier of windows viruses and can affect windows-machines) Troyans could be found by avast, but not necessairily. The malware scan finds those kind of "infections" better.
     
  8. Ursadorable macrumors 6502

    Ursadorable

    Joined:
    Jul 9, 2013
    Location:
    The Frozen North
    #8
    AVAST is one of the worst AV packages out there, I've had to replace it on our corporate computers because it misses so much, and reports tons of false positives.
     
  9. Hypnosis thread starter macrumors member

    Joined:
    Jun 16, 2015
    #9
    That must be it. My roommate went on my MBP to log into his game account because his was being repaired at a computer shop. I got the message a few minutes after he got off. He launched the game's client through Terminal. It might have had to do something with that.

    I have to download Avast or Avira (as forced by my school) in order to gain WiFi access. Would Avira be better?
     
  10. duervo macrumors 68000

    duervo

    Joined:
    Feb 5, 2011
    #10
    Use Avira Free. Avast, in addition to missing targets, is sort of a resource hog.
     
  11. Hypnosis thread starter macrumors member

    Joined:
    Jun 16, 2015
    #11
    Okay. Also I just got another email from the IT department. Another false positive. The same thing happened. Launched the game client and a few minutes later, I get kicked off. Do you have any idea why the game client is causing this? I've never heard of something like this before...
     
  12. duervo macrumors 68000

    duervo

    Joined:
    Feb 5, 2011
    #12
    Probably against the TOS for the school network. It's pretty common to disallow gaming traffic on school networks. The security appliance could be incorrectly detecting the runescape traffic as Trojan-type too. When they told you to do the AV scan, they most likely just sent you a canned response, and didn't even examine the report any closer than seeing the word "Trojan" in the header.

    If you feel it is allowed, and they are blocking you inadvertently, then call their help desk and explain the situation to them. Tell them that their intrusion detection system appears to be misinterpreting traffic from runescape client on your system as a Trojan/malware.
     

Share This Page