AISI Malware report

If you’ve recently received an AISI notification from SkyMesh about a potential malware infection, don’t panic. The email you received would have contained information about the type of malware detected on your network and a link to this guide. The email is legitimate, and you should take steps to secure your network. This guide will help you to do just that. Most fixes for malware infections are very straightforward: you should use your antivirus software to scan your computer and remove threats.

It’s important to know that some malware strains will not be removed by antivirus software, while others will infect different types of devices, not just your computer. When reading these descriptions, look for the “what to do” section.

Conficker

Conficker can disable services on your computer, making it vulnerable to further compromise. If you have received a notification about Conficker you may also have other malware infections.
What to do: You should scan your computer with a trusted anti-virus program to remove this malware.

What to do: You should scan your computer with a trusted anti-virus program to remove this malware.

Esfury

Esfury can be transmitted by removable drives. This malware can change your home page, system security settings, firewall settings, hide files on your system, change your security alerts, change the autorun settings on your computer and change your host file.

What to do: You should scan your computer with a trusted anti-virus program to remove this malware.
After you’ve removed the malware, you may need to make a number of changes to your computer to return it to the way it was configured before being infected, or you may need to speak to a computer technician.

Generic Bot

This means that CERT Australia has a reliable indicator that the connection in questions if compromised, but at the time of reporting was unable to attribute the malware to a specific malware family.

What to do: You should scan your computer with a trusted anti-virus program to remove this malware. If you receive additional AISI notifications, check to see if the bot has been identified.

Marcher

Marcher is a type of Malware that specifically targets Android devices. This notification doesn’t refer to a computer on your network, but does mean that an Android phone or tablet infected with the Marcher malware was connected to your wireless network recently. These applications can steal banking and other financial credentials by substituting genuine authentication fields within banking apps on the Android device with its own fake fields. These credentials are then recorded and sent to malicious actors. Marcher malware is generally installed through software obtained from untrusted sources, and not from trusted sources such as Google Play.

What to do: If you have an Android tablet, the best way forward is to contact the manufacturer of that device for support. If you have an Android phone, we recommend contacting your mobile phone service provider for support before contacting the manufacturer.

Mirai

Mirai is a trojan that targets ‘Internet of Things’ (IoT) devices – such as routers, webcams, printers and digital video recorders – that are ‘open’ to the internet and use weak or default passwords. Once a device is infected it can be used for many tasks, including Distributed Denial of Service (DDoS) attacks.

What to do: The best way to combat this malware is to power off any of your Internet-connected devices and disconnect them from the Internet. When you power the device back on, change the password for that device to a secure, safe password that only you know. After the new password has been set, it should be safe to re-connect the device to the Internet.

njRAT

njRAT can log keystrokes, download and execute files, steal application credentials and access the infected device’s camera and microphone. One njRAT variant can also detect whether a removable storage device such as a USB drive is connected to a computing device. If so, it attempts to copy itself to the device in the hope of spreading to more devices.

What to do: You should scan your computer with a trusted anti-virus program to remove this malware. Your removable drives may also have been infected and should be scanned and formatted. Because njRAT records your keystrokes, you should change your passwords.

Ramnit

Ramnit is known to evade firewalls and other detection mechanisms by injecting itself into running processes, such as svchost.exe and iexplore.exe. It may modify the registry to ensure that it starts on boot. It uses a custom protocol on TCP port 443 for C&C.

What to do: Ramnit may require specialised equipment or a reformatting to remove. If your current antivirus software has not removed Ramnit, you may need to take your computer to a trusted computer repair technician to be removed.

Rovnix

Rovnix is predominantly a banking trojan that can be used to steal credentials and allow remote ‘backdoor’ access to your computer. It may be difficult to detect due to its stealth capabilities.

What to do: You should scan your computer with a trusted anti-virus program to remove this malware. If you cannot find and remove Rovnix, you may need to speak to a trusted computer repair technician to have the malware removed.

Sphinx

Sphinx is a Zeus-based banking trojan variant that enables the attacker to modify internet banking and payment services.

What to do: You should scan your computer with a trusted anti-virus program to remove this malware. Because this is a banking trojan, you should change your password and contact your bank.

Zeus

Zeus is a banking trojan that enables the attacker to modify internet banking and payment services.

What to do: You should scan your computer with a trusted anti-virus program to remove this malware. Because this is a banking trojan, you should change your banking password and contact your bank.

The emails will keep coming from the AISI until the problem is resolved. The emails usually arrive a day or two after the virus is detected by CERT Australia.

We don’t look at the messages, we just pass them on, but we’ve found them to be very accurate based on past performance. If the AISI says a computer on your Internet connection has a virus, we believe them.

Once you have removed the virus, you may still get a few emails that were sent prior to the virus being removed. Its a good idea to check the detection date half way through the AISI email. The date and time is in UTC (GMT+0) so you need to add the hours that correspond to your local time zone.

If you have any questions or concerns or need clarification, please email support@skymesh.com.au or call us on 1300 759 637.

Descriptions for each of these malware types would not have been possible without information provided by CERT Australia and the Joint Cyber Security Centre.

You can read about the AISI’s daily malware observations here.

Back to support

Can’t find what you are looking for?

Call now 1300 759 637 or  Request Support