Received email from ISP saying one of my devices has malwareile tiontPWwદ
My dad received a suspicious email from our ISP (mtnl.net.in). The email was from noreply@mtnl.net.in and it had our user ID (I masked it as xxxxxxxx@a) in the email so it must have come from the ISP itself.
Email details below:
Subject:
"Intimation Regarding Malware/ Virus Infected Systems"
Body:
Dear Sir/Madam,
Greetings!
It is observed that your device connected with MTNL Mumbai broadband network with broadband number xxxxxxxx@a is infected with Malware. This is as per the analysis of Computer Emergency Response Team -INDIA (Cert-IN), under the Ministry of Electronics and Information Technology.
Malware (CNC) is unwanted software that is installed in users system without users consent while user is surfing on the Internet. An attacker or cybercriminal can remotely send commands to such systems which are compromised by malware. These compromised machines can be used to create powerful networks (botnet) of infected devices capable of carrying out distributed denial-of-service (DDoS) attacks, stealing data, deleting data or encrypting data in order to carry out an extortion scheme. The device becomes part of the botnet due to malware/virus installed on it.
To secure your devices , Kindly check your devices for malware/ botnet using Antivirus S/w.
For more information on malware/botnets and the counter measures kindly visit https://www.cyberswachhtakendra.gov.in. You can also download "Free botnet removal tools".
Thanks & Warm Regards,
MTNL, Mumbai
I extracted all links from the email and scanned them via the https://www.virustotal.com/ URL scanner but all were reported as safe.
Links:
- http://www.cert-in.org.in/
- https://www.cyberswachhtakendra.gov.in/
- https://www.quickheal.co.in/bot-removal-tool
- http://mtnlmumbai.in/index.php/broadband/triband/promotional-plans#unlimited-high-speed-plans
- https://selfcare.mtnl.net.in/mumbai/TribandRegistrationInstn.aspx
Looking online there is a similar question on Quora but a different scenario.
NETWORK AT HOME
- Two mobile phones (Android)
- One laptop (Windows 10 with Avira antivirus)
QUESTION:
Can an ISP really detect this?
Should I act on this and what should I do?
To answer some of the questions:
- Only the above 3 devices are connected to the wifi, no other IoT devices.
- My parents are the only users ... so you can rule out TOR browsers or any inappropriate searches.
- Also no VMs on the network.
- I will try to contact the ISP but they are a government one and have very bad support.
Also after doing some more research it seems that Quick Heal has a tie up with MTNL and BSNL, both government providers, so there is a chance they might be just promoting Quick Heal.
Links: Link1 Link2 Link3
Personal note: I find it very odd that MTNL is actually taking trouble to find bots !!
-
3Note that your ISP usually knows your name, if this is missing from the email, you should doubt the validity of the mail – Ferrybig yesterday
-
2I read the initial "Dear Sir/Madam," and assumed this was just spam/some sort of scam, but apparently this address is actually used in legitimate mails in India... – R.. yesterday
-
2@Mirsad: Why would playing around with VMs get you blocked by your ISP? – Sean 18 hours ago
-
2@Sean, running a malware in VM. – Mirsad 17 hours ago
-
1I would distrust any email with so many grammar errors. – Boann 12 hours ago
5 Answers
Can an ISP really detect this?
The ISP can see all data your systems exchange with the internet (but not the plain text from encrypted data). Based on this he can detect botnets which often show typical behavior.
Should I action on this and what to do?
Yes, you should action on this since there seems to be malware in your network which is used to disturb other systems on the internet (sending spam mails, DDoS attacks, used as VPN to hide malicious activity and others) and which might also affect your internal network (infect computers, steal data, take data as ransom ...).
If you don't fix the problem you might also risk that the ISP restricts your network or even completely disconnects you from the internet (depending on the terms of service).
Based on the information you've provided it is impossible to say what exactly the problem is though. It might be that your laptop is infected (Antivirus do not offer 100% protection) or that one of your phones or that the router itself. It might also be other devices in your network you are not really aware of, like a TV, printer, IP camera or other IoT devices. And it might be also caused by software you have knowingly installed yourself, but which has a hidden malicious functionality you are not aware of.
The links they provided in the mail seem to be fine so that you can follow these for more information and for the offered botnet removal tool. But if you are in doubt if the mail really originated by your ISP please contact the ISP - it is impossible for us to see based on the information provided what the real origin of the mail is.
-
I really think you mean "not aware of", not "now aware of". – Loren Pechtel 18 hours ago
-
@LorenPechtel: you are correct. I've fixed it. Thank you. – Steffen Ullrich 17 hours ago
-
yaa but I find it very odd that MTNL is actually taking trouble to find bots ... – Nigel Fds 15 hours ago
-
2@NigelFds: Why do you find this odd? A botnet inside their customers network means that malicious traffic is going out from the network of MTNL. This can affect their other (legal) services. For example mail providers might start to block this network since too much spam is sent which then might affect the sending of proper mail. – Steffen Ullrich 11 hours ago
-
@SteffenUllrich because they are a government internet provider and have been known to not care in the past ... also I suspect they might be trying to promote Quickheal ... if u see the edit I made to my question – Nigel Fds 5 hours ago
The email address from which you have received the mail seems genuine. The body of the mail also adds to the genuineness. However, senders email addresses can be spoofed by using open mail relays. As per Department of Telecom , port 25 must be blocked to reduce surface area of spoofing, yet there are many open relay that are live still.
To confirm authenticity of mail, please copy the headers and see the reputation score of originating SMTP server. Reference to online tool , do not forget to delete your headers from this site after you have analyzed the source.
Alternatively you may call your ISP to confirm the authenticity of mail.
Now if the your ISP has really sent this mail to you, request you to follow below steps for mitigating the issue.
- Initiative a full malware scan on the laptop. you may use any one of these anti-malware software Trendmicro House call, MalwareBytes, Avast. After scan is completed, delete the detected files, if any.
- Install the tool Process Explorer to see what processes are running on the laptop. you have a really good option in this tool to check if the running process is malicious or not against Virustotal(60+ anti-malware software). If any processes flagged as malicious , kill it, open its location on your local drive and delete it.
- Check for any recently installed applications that you're not aware of ,or seems suspicious to you.
- Have your phones scanned for malware as well, with anti-malware mobile applications
- Report the findings of above steps followed to your ISP, and ask them , if they still see any botnet connections.
Hope the above solves your issue, if not, at-least you would have given your ISP a head-start in detecting the root cause of malware.
-
"The email address from which you have received the mail seems genuine" There is no way to know the email address from which you have [really] received the mail (mainly because there is no such concept, besides the plain-text and trivially forgeable "From" field), so your opening line constitutes mistraining – Lightness Races in Orbit 36 mins ago
This looks like a legitimate email.
Someone detected that a computer with an Indian IP address was part of a botnet. This was shared with your National CERT (CERT-In). In turn, as they didn't know which user had that IP address at the time it was detected, they notified your ISP, which in turn found out which customer was responsible of that connection and forwarded that notice to your father.
As you see, they are pointing you to a botnet clearinghouse set up by CERT-In on https://www.cyberswachhtakendra.gov.in/
The piece I miss from that notification is that they don't mention when the connection happened, whic.
If you wanted to verify their claim or get further information, I would recommend you to contact directly with CERT-In (the Contact Us link on https://cert-in.org.in/ provides their email addresses).
I miss from the notification that they sent you the time on which the malicious behavior was detected or at least the IP address you had at the time, which would make it difficult for them to find out which of the hundreds of similar alerts they sent out is the one received by your father. Although if you have had the same IP address for some time, it is likely they could find events for your current IP address (you would have to provide it to them in your request).
Given that -supposedly- in that home there are only one computer and two mobile phones, my suspicion is that the infected device is the laptop, so I would begin by running there the Bot Removal Tool they recommend on the Cyber Swachhta Kendra for disinfection, as it should be able to disinfect the malware they are warning about. And in case it found out nothing, then ask the CERT-In for more detail.
-
also there is a possibility that MTNL are promoting quick heal , see my edit to the quesiton – Nigel Fds 15 hours ago
-
@NigelFds note that cyberswachhtakendra.gov.in (made by CERT-In, a Governmental organization) is linking to Quick Heal Bot removal tool, and Quick Heal claims «Developed in collaboration with "Cyber Swachhta Kendra" under Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics & IT». So no, I don't think it's MTNL wanting to promote Quick Heal. It is linked because it is what was linked from the original notification. Just like MTNL is not taking trouble to find bots, but CERT-In is, as it is their mandate (see their What We Do section), just like other CERTs. – Ángel 2 hours ago
There's nothing in that e-mail that would be of use to a black hat, thus it's almost certainly legitimate. You've got something on your system that's either attempting to infect other systems or it's communicating with a known botnet command-and-control server and I would think the former scenario is far more likely.
Is this a joke?
This is 100% a malicious email.
The (Too happy) language, as well as trying to explain to a user what a 'botnet' is, throwing random scary things such as extortion and encryption, then asking the user to search for 'free virus removal' software and run it.
Yeah, great idea! (no, it's an awful idea).
-
Other answers have executed a proper analysis of the email (and come to the opposite conclusion). You're just falling foul of cultural biases, then mocking everybody as a result. You don't really appear to be adding anything of value to the conversation. – Lightness Races in Orbit 34 mins ago
