6

So, a funny thing just happened.

I have my (personal) mac connected to the wired enterprise network and have for several months. Today, a couple of guys from IT came busting through the door saying that they were seeing a malware threat from a computer hardwired to the network that matched my computer's device name. Fair enough, let's take a look, I said.

Here's where I'm confused...

  1. The MAC addresses (their reported threat and my computer) didn't match.
  2. The malware they were seeing is win.trojan netwiredrc variant keepalive1
  3. I ran malware-bytes for mac and it didn't turn up anything
  4. I run AVG antivirus constantly to try to prevent things such as this

My questions are:

  1. Does this trojan even affect Macs?
  2. At the time they said they saw the report, I was running a Citrix instance to an application that is also hosted by my organization (the same IT group). Could this virtual machine have the above trojan? If so, would this explain why the MAC addresses didn't match but it still showed up as my computer name?
  3. Is this a false positive? If so, how do I convince the IT department of that so they'll allow me to connect to the wired network again?

Thanks in advance.

UPDATE (9/11/18): Over a year has passed and this issue happened again with the same result. AVG scan with no issues, malware bytes scan with no issues. The same trojan identified.

Can someone tell me the nuts and bolts of how these trojans are identified on a network scanner? In other words, are is it looking for particular packets of information being passed through or patterns of activity.

Ryan
  • 161
  • 4
  • 1
    `win` probably means it's a Windows-specific malware they supposedly detected. Is your VM a Windows VM? Otherwise, I suspect it's a false positive, or at-least incorrectly identified. – Alexander O'Mara Jun 05 '17 at 19:36
  • @AlexanderO'Mara yes, the VM is a Windows VM. – Ryan Jun 05 '17 at 19:37
  • 2
    Then I would be suspicious of the VM. I don't know how to confirm it though. – Alexander O'Mara Jun 05 '17 at 19:38
  • 1
    The VM can have its own MAC address for the virtual network adapter. Check that as well. Although MAC spoofing is pretty trivial in any case. https://en.wikipedia.org/wiki/MAC_spoofing – David Jun 05 '17 at 19:52
  • 2
    When I google for that malware name, three of the first five hits are forum posts about false positives. An up to date malware scanner should find this. If it doesn't it probably is a false positive. You could always trash your VM and set it up fresh to feel safe. The malware shouldn't affect MacOS systems. – Tom K. Sep 11 '18 at 12:49

1 Answers1

3

I would avoid using the Windows VM until you've investigated further - a fresh install of Windows may be warranted. As for macOS receiving a Windows Virus it's unlikely unless you use a tool like Wine. I would run an anti-virus scan on both your macOS install as well as the Windows VM. It's important that you communicate with the IT Staff and get the issue resolved they are hired there to help you - work with them to resolve the issue and networking can be restored.