Zyxel Command Injection CVE-2023-28771

Topic

New Reply

I am not sure this is the correct forum, but didn’t see anything more specific.

This week I began getting intrusion alerts from my antivirus program that the Zyxel malware ( see topic for full name) had tried to attack my computer through UDP, port 500 from a computer with an address that starts with 109.207 and 8 more numbers. These occur every 15 -30 minutes.

I have run a full scan with Norton and it finds nothing. Same with Malwarebytes. But superantispyware found a trojan (long name that ends in vulcan.exe) and said it was in a folder called DriversBackup on my desktop. It was supposedly quarantined and would be removed on reboot – but it keeps coming back despite that after reboot when I rescan with superantispyware.

I went to the desktop folder and manually deleted the supposed trojan. It has not returned when I rebooted.

But I keep getting the alerts from Norton about Zyxel attempted intrusions. I worry these are related to the previously mentioned trojan and it is still hiding somewhere on my computer.  The trojan source is also listed as somewhere on disk 6, but when I look at the volume numbers for my existing drives, I only have 1 through 5. So that’s another mystery.

Along with these notifications and malware/trojan alerts/detections, I have had the screen freeze  3 times this week and the screen does not always refresh itself per usual.

Finally, when I try to shut down my computer when it freezes, I get an error message that Macrium Reflect free is running a back up and won’t let me shut down. I had tried 2 weeks ago to uninstall Macrium Reflect free but my uninstall program (Revo) and the windows 11 uninstall app tool do not have Macrium Reflect in their lists. That despite the fact Macrium reflect free is listed among my apps and runs OK as far as I can tell.

So also wondering if the weirdness with Macrium Reflect was the 1st sign of malware trouble. If anyone know how I can uninstall Macrium Reflect free when uninstall programs can’t find – appreciate that into too.

The other error message I get when trying to shut down is that gvrBackgroundWindow3 is still running and won’t let me shut down.

Is it possible these are all related or are they differing things on a really messed up computer?

Sorry this seems so convoluted but any help is appreciated.

Anyone have any advice on how to address

 

 

 

Reply | Quote

Replies

Drpep71,

Do you have a Zyxel modem/router?

It would appear that the attack is loaded into the Firmware of these devices.
You you would therefore need to get new firmware from your ISP or preferable a whole new device.

Of course this is my interpretation of the online research I did.
Not being an expert in this field I could be wrong but it seems the most logical problem based on the available information.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

PKCano

Reply | Quote

Thanks for the quick reply.

I have an ARRIS modem from my ISP and a Netgear ORBI router, a Netgear 8 outlet dumb switch,  and a Wavlink extender. I also have a Buffalo NAS for backups and two USB large external hard drives – one each from Seagate and Western Digital.

So no Zyxel products that I know of.

Could Zyxel make components for other brand names’ cable boxes or “smart” devices and are not apparent from the brand name on the device that uses their components. We have numerous smart TVs, surveillance cameras, Amazon devices, light switches and plugs.

Also, could the Zyxel hardware be from a source outside my home?

I really appreciate your taking time to respond.

Any thoughts on how to uninstall my phantom Macrium Reflect or an approach to removing the Trojan that Superantispyware keeps detecting but not removing?

 

Reply | Quote

Different uninstallers are capable of uninstalling different software. Here are several uninstall programs:

• https://geekuninstaller.com/
• http://www.nirsoft.net/utils/uninstall_view.html

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

Drpep71,

You may want to read this information about Wavlink.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

All intrusion attempts should be blocked by your Netgear router. If Norton is reporting attempts from a 109 address then your router is not doing its job. (Can you post the full IP address so we can check the source of the attempts?)

To eliminate the Wavelink, turn it off for half an hour and see if you still get intrusion attempts.

cheers, Paul

p.s. Use the Windows uninstaller for Macrium. Don’t use 3rd party uninstallers unless you have a troublesome product.

Reply | Quote

Thanks to both of you.

I had turned off my computer last evening and just turned it on again. So just seeing these 2 helpful replies.

I just disconnected the Wavlink extender, so will see what happens over the day. That’s a scary article. That info needs wider dissemination. I feel a bit stupid to have gone cheap and had a device with a backdoor working downstream of my router as an extender.

I wonder if the extender being downstream of the router make sit impossible for the router to do its job. Nevertheless, the full address of the attacking computer most of the times is 109.207.200.44, 500 and the source address is the same without the  ,500 see attached for Norton message.

The pathway source for the intrusions is always:

\DEVICE\HARDDISKVOLUME6\WINDOWS\SYSTEM32\SVCHOSTE.EXE

But I don’t have a volume 6 that I can find on my system.

I tried windows uninstall first but it did not have Macrium listed. That’s why I went to the REVO uninstaller, which also does not have it in the list. Given that, is there a different non3rd-party method to uninstall the Macrium? Or a way to reset windows uninstaller to “see” Macrium?

UPDATE: With the Wavlink disconnected, just got the same intrusion alert, but the source address changed – 109.207.200.47, 500. I looked back at the old intrusion logs and found 109.205.213.30 for three other attempts but the addresses above ending in .44 and .47 were most frequent – sometimes multiple times within 5 minutes and sometimes only once an hours.

Hope these addresses mean something to somebody.

 

 

 

 

Reply | Quote

As Paul T mentioned, your router should be blocking/preventing any connection attempts from the Internet to devices on your internal network. You can test your router security via ShieldsUp URL below. Click proceed and then “Common ports”. Ideally you want to see “Stealth” status for everything. Otherwise you need to check your router settings, especially if it reports anything as “Open”.

https://www.grc.com/x/ne.dll?bh0bkyd2

Reply | Quote

I have had repeated intrusion attempt warnings from Norton, starting yesterday and continuing today.  I have an Arris modem, no router, and have no Zyxel products on my computer.  So far, there are three addresses, all targeting Port 500:

109.207.200.44

109.297.200.47

109.205.213.30

It appears that these attacks are originating from Ukraine.

Reply | Quote

I’m seeing multiple attacks reported on AbuseIPDB.

1 user thanked author for this post.

Alex5723

Reply | Quote

Drpep71 wrote:

I wonder if the extender being downstream of the router make sit impossible for the router to do its job

Nope.
The extender is behind the router firewall and can’t be accessed from the internet (assuming the router is working). The extender would need to be actively seeking outside connections for it to be susceptible.

The target is your IP address, but Norton should never be able to see this data because your router will block the attempts and does not pass on the information – unless Norton has access to your router logs and is telling you about failed attempts that it has absolutely no control over in a pathetic attempt to show it is doing something to keep you paying. (Pardon the rant.)

Are you sure the router has the firewall turned on and is not in bridge mode?

cheers, Paul

Reply | Quote

I feel like the shrimp in finding Nemo who sheepishly said, “I am ashamed”, when he was caught being so dumb by cleaning the aquarium glass when they needed it to be dirty.

Anyway, I think it is fixed. When I got the feedback from all of you, I switched my computer internet connection to Wi-Fi as a trial.  Voila’ – the intrusions seem to stop. I then decided to disassemble my network cable system and add components  back – one at a time.

And behold – I discovered that my cables were incorrectly connected. The cables themselves look alike and they were in a bundling track – that’s my only excuse and I am going with that.

The one that should run from my ISP-provided modem to my router was actually connected from the modem to the dumb switch. The cable that was supposed to go from the router to the dumb 8-port switch was actually connected from the dumbswitch to router. My computer in the incorrect configuration was connected by cable directly to the dumb switch, and was not downstream of the router. The extender’s cable did come from one of the router’s ports.  What is interesting to me is that the misconfigured cables have been that way for 4 months (since the office fix-up) and I had not seen issues before – that I know of.

The genesis of using the dumb switch was that direct cabling the computer to a router port slowed and sometimes prevented connections to websites (timing out or “website not available” error messages) particularly when using Brave  browser.

Using wifi now is not as fast as direct cabling but works OK until I get the budget to spring for a WIFI 6 mesh router system.

Thanks for all the input from everyone. the feedback I got was critical to figuring out what turned out to be a relatively simple fix. It made me go back to basics, e.g. recheck connector cables despite their labels. – and so far so good

If no more intrusion alerts occur over the weekend I will close this thread.

Thanks again – so much. Love having this forum to get feedback and help fix things even if I find the problem was me.

Reply | Quote