Received email from ISP saying one of my devices has malware

Question

My dad received a suspicious email from our ISP (mtnl.net.in). The email was from noreply@mtnl.net.in and it had our user ID (I masked it as xxxxxxxx@a) in the email so it must have come from the ISP itself.

Email details below:

Subject:

"Intimation Regarding Malware/ Virus Infected Systems"

Body:

Dear Sir/Madam,
Greetings!
It is observed that your device connected with MTNL Mumbai broadband network with broadband number xxxxxxxx@a is infected with Malware. This is as per the analysis of Computer Emergency Response Team -INDIA (Cert-IN), under the Ministry of Electronics and Information Technology.
Malware (CNC) is unwanted software that is installed in users system without users consent while user is surfing on the Internet. An attacker or cybercriminal can remotely send commands to such systems which are compromised by malware. These compromised machines can be used to create powerful networks (botnet) of infected devices capable of carrying out distributed denial-of-service (DDoS) attacks, stealing data, deleting data or encrypting data in order to carry out an extortion scheme. The device becomes part of the botnet due to malware/virus installed on it.
To secure your devices , Kindly check your devices for malware/ botnet using Antivirus S/w.
For more information on malware/botnets and the counter measures kindly visit https://www.cyberswachhtakendra.gov.in. You can also download "Free botnet removal tools".
Thanks & Warm Regards,
MTNL, Mumbai

I extracted all links from the email and scanned them via the https://www.virustotal.com/ URL scanner but all were reported as safe.

Links:

Looking online there is a similar question on Quora but a different scenario.

NETWORK AT HOME

Two mobile phones (Android)
One laptop (Windows 10 with Avira antivirus)

QUESTION:

Can an ISP really detect this?
Should I act on this and what should I do?

To answer some of the questions:

Only the above 3 devices are connected to the wifi, no other IoT devices.
My parents are the only users ... so you can rule out TOR browsers or any inappropriate searches.
Also no VMs on the network.
I will try to contact the ISP but they are a government one and have very bad support.

Also after doing some more research it seems that Quick Heal has a tie up with MTNL and BSNL, both government providers, so there is a chance they might be just promoting Quick Heal.

Links: Link1 Link2 Link3

Personal note: I find it very odd that MTNL is actually taking trouble to find bots !!

Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/98287/discussion-on-question-by-nigel-fds-received-email-from-isp-saying-one-of-my-dev). — Rory Alsop, Sep 04 '19 at 16:15

Steffen Ullrich · Answer 1 · 2019-08-31T22:44:58.387

52

Can an ISP really detect this?

The ISP can see all data your systems exchange with the internet (but not the plain text from encrypted data). Based on this he can detect botnets which often show typical behavior.

Should I action on this and what to do?

Yes, you should action on this since there seems to be malware in your network which is used to disturb other systems on the internet (sending spam mails, DDoS attacks, used as VPN to hide malicious activity and others) and which might also affect your internal network (infect computers, steal data, take data as ransom ...).

If you don't fix the problem you might also risk that the ISP restricts your network or even completely disconnects you from the internet (depending on the terms of service).

Based on the information you've provided it is impossible to say what exactly the problem is though. It might be that your laptop is infected (Antivirus do not offer 100% protection) or that one of your phones or that the router itself. It might also be other devices in your network you are not really aware of, like a TV, printer, IP camera or other IoT devices. And it might be also caused by software you have knowingly installed yourself, but which has a hidden malicious functionality you are not aware of.

The links they provided in the mail seem to be fine so that you can follow these for more information and for the offered botnet removal tool. But if you are in doubt if the mail really originated by your ISP please contact the ISP - it is impossible for us to see based on the information provided what the real origin of the mail is.

edited Aug 31 '19 at 22:44

answered Aug 31 '19 at 04:21

Steffen Ullrich

184,332
29
363
424

yaa but I find it very odd that MTNL is actually taking trouble to find bots ... – Nigel Fds Sep 01 '19 at 01:12
36

@NigelFds: Why do you find this odd? A botnet inside their customers network means that malicious traffic is going out from the network of MTNL. This can affect their other (legal) services. For example mail providers might start to block this network since too much spam is sent which then might affect the sending of proper mail. – Steffen Ullrich Sep 01 '19 at 04:52
1

@SteffenUllrich because they are a government internet provider and have been known to not care in the past ... also I suspect they might be trying to promote Quickheal ... if u see the edit I made to my question – Nigel Fds Sep 01 '19 at 11:01
2

@NigelFds: It is true that they promote a **free** product which helps users to get rid of the infection. And yes, this will also likely promote the commercial product as a side effect. This kind of collaboration is actually not that unusual and is considered a win-win-win: both the ISP and the customer win if the malware is removed and the company providing the free product might win new customers for the commercial offering. Also, what would you consider a good alternative to deal with the botnet infection: just cut the customer off the internet until he fixes the problems by its own? – Steffen Ullrich Sep 01 '19 at 13:41
I have come across this message too. One more doubt is that, whether QuickHeal, since it's a third party product and not a government-owned one, will do what it is supposted to do, (heal)? Just that, or will it do anything extra (like collect data and keep it) or malicious ? The email makes one to suspect QuickHeal, although they might just be good samaritans. – Whirl Mind Sep 01 '19 at 16:35

score 19 · Answer 2 · answered Aug 31 '19 at 23:43

This looks like a legitimate email.

Someone detected that a computer with an Indian IP address was part of a botnet. This was shared with your National CERT (CERT-In). In turn, as they didn't know which user had that IP address at the time it was detected, they notified your ISP, which in turn found out which customer was responsible of that connection and forwarded that notice to your father.

As you see, they are pointing you to a botnet clearinghouse set up by CERT-In on https://www.cyberswachhtakendra.gov.in/

The piece I miss from that notification is that they don't mention when the connection happened, whic.

If you wanted to verify their claim or get further information, I would recommend you to contact directly with CERT-In (the Contact Us link on https://cert-in.org.in/ provides their email addresses).

I miss from the notification that they sent you the time on which the malicious behavior was detected or at least the IP address you had at the time, which would make it difficult for them to find out which of the hundreds of similar alerts they sent out is the one received by your father. Although if you have had the same IP address for some time, it is likely they could find events for your current IP address (you would have to provide it to them in your request).

Given that -supposedly- in that home there are only one computer and two mobile phones, my suspicion is that the infected device is the laptop, so I would begin by running there the Bot Removal Tool they recommend on the Cyber Swachhta Kendra for disinfection, as it should be able to disinfect the malware they are warning about. And in case it found out nothing, then ask the CERT-In for more detail.

also there is a possibility that MTNL are promoting quick heal , see my edit to the quesiton — Nigel Fds, Sep 01 '19 at 01:09
@NigelFds note that https://www.cyberswachhtakendra.gov.in/ (made by CERT-In, a Governmental organization) is linking to Quick Heal Bot removal tool, and Quick Heal claims «Developed in collaboration with "Cyber Swachhta Kendra" under Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics & IT». So no, I don't think it's MTNL wanting to promote Quick Heal. It is linked because it is what was linked from the original notification. Just like MTNL is not taking trouble to find bots, but CERT-In is, as it is their mandate (see their _What We Do_ section), just like other CERTs. — Ángel, Sep 01 '19 at 13:39
@NigelFds I would use a reliable malware/botnet removal tool rather than a random one found online. MalwareBites is a great one, but really anything which has corporate support behind it is a good choice. As an Indian, I can tell you that any software promoted by the Indian Government is not exactly the best way to go, as it's highly likely some shady deals were made in the process due to corruption :). Good luck! — vikarjramun, Sep 01 '19 at 21:31

score 11 · Answer 3 · edited Sep 02 '19 at 06:41

11

The email address from which you have received the mail seems genuine. The body of the mail also adds to the genuineness. However, senders email addresses can be spoofed by using open mail relays. As per the Department of Telecom, port 25 must be blocked to reduce surface area of spoofing, yet there are many open relay that are live still.

To confirm authenticity of mail, please copy the headers and see the reputation score of originating SMTP server. Reference to online tool , do not forget to delete your headers from this site after you have analyzed the source.

Alternatively you may call your ISP to confirm the authenticity of mail.

Now if your ISP has really sent this mail to you, request you to follow below steps for mitigating the issue.

Initiate a full malware scan on the laptop. you may use any one of these anti-malware software Trendmicro House call, MalwareBytes, Avast. After scan is completed, delete the detected files, if any.
Install the tool Process Explorer to see what processes are running on the laptop. you have a really good option in this tool to check if the running process is malicious or not against Virustotal(60+ anti-malware software). If any processes flagged as malicious, kill it, open its location on your local drive and delete it.
Check for any recently installed applications that you're not aware of, or seems suspicious to you.
Have your phones scanned for malware as well, with anti-malware mobile applications
Report the findings of above steps followed to your ISP and ask them if they still see any botnet connections.

Hope the above solves your issue, if not, at least you would have given your ISP a head start in detecting the root cause of the malware.

edited Sep 02 '19 at 06:41

schroeder

123,438
55
284
319

answered Aug 31 '19 at 18:40

nocut

186
8

6

_"The email address from which you have received the mail seems genuine"_ There is no way to know the email address from which you have [really] received the mail (mainly because there is no such concept, besides the plain-text and trivially forgeable "From" field), so your opening line constitutes mistraining – Lightness Races in Orbit Sep 01 '19 at 15:57
2

@LightnessRacesinOrbit : I think, that's why, "seems" has been used, instead of "is". :-) – Whirl Mind Sep 01 '19 at 16:41
2

@LightnessRacesinOrbit : checking the full header might reveal what servers that mail went through, such things are much more difficult to spoof than the "from" field. – vsz Sep 01 '19 at 16:55
3

@vsz Yes, that would be a good part of an analysis. However, that's unconnected to the sentence that nocut deployed. – Lightness Races in Orbit Sep 01 '19 at 17:52
2

Note that code formatting should only be used for *code*, not for technical terms in general. See [Highlighting technical words](https://meta.stackexchange.com/questions/155904/highlighting-technical-words) on [meta.se]. – Charles Duffy Sep 01 '19 at 20:57
Open relays are not the only way to spoof. I'm not sure why you are focusing on this part. I'm also not sure why it is included in an answer to this question. In fact, your answer would be greatly improved be removing the entire first paragraph. – schroeder Sep 02 '19 at 06:42

nyov · Answer 4 · 2019-09-03T01:37:57.007

You should take this mail seriously.

There is no reason not to investigate your network for malware. (You don't need to click their links or download their tools for that, find your own from reputable sources or investigate them first.)

The only suspect information I can see in the mail is the omission of a specific threat/malware. That makes finding and removing it very hard for the average end-user.

Despite that, I believe it's legit.

Since the mail is referencing Cert-IN (https://cert-in.org.in/) you can check on their website for recent alerts, their mail is likely referencing a recently discovered threat, so you can look for these.

Since you say "devices are connected to the wifi", there could be a slight chance it's not any of your devices being infected... but if that were the case, you'd still have a problem.

Why would they take the trouble to notify you?

Historically, ISPs were very lax about this, but with malware and botnets becoming an ever-increasing threat, the international community is becoming more forceful with ISPs to inform and sensibilize their customers, or being subjected to a bad reputation themselves.

Why would they take the trouble to find bots?

Often, it is not the ISP who finds the bots, but some Malware analysts and investigators -- such as Cert-IN -- tracking down C&C (command and control) server infrastructure, or bot communications, and then finding infected peers and informing ISPs of those IP addresses, who then have the information (IP address to ISP customer lookup) to be able to inform their customers.

You could read some interesting blog posts from malware analysts to get a better understanding of this:

score 4 · Answer 5 · answered Sep 01 '19 at 15:21

4

Is this a joke?

This is 100% a malicious email.

The (Too happy) language, as well as trying to explain to a user what a 'botnet' is, throwing random scary things such as extortion and encryption, then asking the user to search for 'free virus removal' software and run it.

Yeah, great idea! (no, it's an awful idea).

answered Sep 01 '19 at 15:21

Dog

75
1

22

Other answers have executed a proper analysis of the email (and come to the opposite conclusion). You're just falling foul of cultural biases, then mocking everybody as a result. You don't really appear to be adding anything of value to the conversation. – Lightness Races in Orbit Sep 01 '19 at 15:59
7

@LightnessRacesinOrbit The contact is by unsolicited email. *That's all you need to know*. If that's not enough, look for the personal customization you would expect to find from a bona-fide vendor who has your details, such as "Dear ". Not there. No instructions to self-navigate to the sender's help page, just an out-of-the-blue *hotlinked* link to an *external* site. And the clickURL may be different from the displayed URL (and that info may not have cut-n-pasted). – Harper - Reinstate Monica Sep 02 '19 at 00:44
7

@Harper I'm not saying you shouldn't be suspicious of this mailing (I sure would be) - I'm saying the statement "This is 100% a malicious email" is not just lacking in proof, but actually has been proven incorrect. – Lightness Races in Orbit Sep 02 '19 at 09:49
1

The style and grammar of the email is perfectly consistent (better, even) with the style and grammar used by the Indians I work with. – RonJohn Sep 02 '19 at 19:42

score 2 · Answer 6 · answered Aug 31 '19 at 22:36

2

There's nothing in that e-mail that would be of use to a black hat, thus it's almost certainly legitimate. You've got something on your system that's either attempting to infect other systems or it's communicating with a known botnet command-and-control server and I would think the former scenario is far more likely.

answered Aug 31 '19 at 22:36

Loren Pechtel

763
4
9

1

You're presuming the clickURL under the displayURL is the same URL. It may be in this cut-n-paste of the email. It may be not in the original email. – Harper - Reinstate Monica Sep 02 '19 at 16:33

score 2 · Answer 7 · edited Sep 02 '19 at 06:19

2

The email seems legit. But it could have been written by someone who may have worked for an ISP or other tech companies previously. If you said the customer service is bad there, you probably won’t be able to call them to confirm if they sent that email or not.

At any rate, don’t click on any of the links in the email, and do follow the advice of the other people above about scanning your systems. Being cautious about it be a good idea, but I personally think that it is not legit.

edited Sep 02 '19 at 06:19

SeeYouInDisneyland

1,428
9
20

answered Sep 01 '19 at 22:08

lockheed silverman

21
1

How can this be the only answer that mentions not to follow links in the email... – FreeSoftwareServers Sep 02 '19 at 15:24
Maybe it’s a given that you don’t, but I know that I am the type of person who would be stupid enough to click I. The link. – lockheed silverman Sep 02 '19 at 15:33
1

@FreeSoftwareServers Because the mentioned links are legitimate government links with `.gov.in` TLD. – Hackinet Sep 02 '19 at 17:25
Or a malicious hyperlink... Posing as a real safe URL. Always navigate independently and never follow hyperlinks. – FreeSoftwareServers Sep 02 '19 at 21:05

score 1 · Answer 8 · answered Sep 02 '19 at 13:14

1

Try calling your ISP to confirm. It looks suspicious just in the fact it's an unsolicited email without any personalisation or information about you which they should have if they're legitimately your ISP.

They wouldn't bother monitoring their customer's devices to track malware, that's not their job.

answered Sep 02 '19 at 13:14

captainobvious

11
1

5

I strongly disagree on that last statement. In many countries, for example the Netherlands (where I work for an ISP), an ISP has a legal duty to protect and look after their customers. *If* they are aware of malicious activity because they either observed traffic or were notified by a trusted reporter (like shadowserver), they are obligated to inform their customers. – Teun Vink Sep 02 '19 at 13:58
Nothing in that email really implied that the sender _directly_ detected anything, far more likely is that they were handed a list of IP's from another body. – Mike Brockington Sep 02 '19 at 14:18

score 1 · Answer 9 · answered Sep 02 '19 at 18:58

Can an ISP really detect this?

One comment regarding this question. It is possible an ISP got a complaint and is forwarding it to you as the subscriber.

I review my server log files for suspicious activity, like trying to access php admin. When I see it, I have a script that sends an email to the abuse department of the ISP based on the IP address. The email includes the relevant log entries based on the IP address. I ask the ISP control their customer, and ask them to stop trying to break into my machines.

In this case the ISP is not monitoring your connection or MitM'ing your sessions. They are simply reacting to a complaint.

Harper - Reinstate Monica · Answer 10 · 2019-09-02T17:31:31.127

Maybe. But Don't click that link!

Sure. The folks here have ground through the details and everything seems legit.

But that would also be true of any competent phish. We have gotten spoiled, seeing incompetent phishes so often. But speaking of that, note the email's salutation -- Where is OP's proper name, which the ISP should certainly know? As for the account number you XXX'd, that looks like something derivable from the email address.

A big part of people's confidence is not seeing a payload. The displayed URL matches the hover/click URL here on StackExchange's cut-pasted copy, because StackExchange saw a plain text URL and made it hot.

I for one have no confidence in a scanner that declares a list of URLs safe; how would it know? It can't detect a cracker merely knowing a site's password. Its mechanism for knowing is sure to have some delay. If I hacked a website, I would not make any apparent changes until I was ready to blast the email.

I'll go one step further. Analyzing an email to this degree isn't worthwhile, because it doesn't "scale". You can't afford this scrutiny for every email.

Do contact your ISP - through independent channels

Do not use any contact information found in the email. Use contact info you arrive at independently, e.g. Off their legit website.

The letter might be true - is fairly likely true - and you do need to followup. The ISP can tell you either a) whether it's legit, or b) what measures to take prophylactically (as a precaution) in case it's legit.

Dont forget IoT devices

That could be anything from a child's toy to a smart switch to an IP camera. A great many of them actually have a mini Unix system onboard, with standard IP sIf they are capable of getting on Wifi, they can be hacked and do malicious things on the Internet (as a side activity to their normal tasks).