Welcome to Comcast Help & Support Forums
Find solutions, share knowledge, and get answers from customers and experts

New to the Community? Start here.

5,707,503

members

15

online now

1,871,348

discussions

Back to Top

Constand Guard False Bot Positives

SOLVED
Posted by
Frequent Visitor

Message 1 of 15
4,244 Views

Again I received an email titled "Constant Guard Service Alert" from alerts@comcast.net with absolutely no other information. I checked with "Am I botted" and it shows the same so-called "Java_Exploit_Group" detected again with no other explanation. My own research has indicated that this notification pops if I bring a computer with Java installed online. I have 2 such computers. 1 runs linux and the other a fully updated and checked Windows 7. I have removed Java from all Windows computers. Just to keep you quiet I am removing Java from the remaining Windows computer since you seem to detect all Java installations in Windows as bots regardless of currency.

 

Please either fix this system or stop sending out aggrivating and incorrect warnings. I run Norton on all Windows computers except for 1 which runs Microsoft AV and repeated checks with the installed AVs and web-based scanners never show a problem.

 

You are rapidly losing all credibility as regards your ability to detect malware on your network. False positives are not benign - they destroy any condfidence in your competency.

1 ACCEPTED SOLUTION

Accepted Solutions
Posted by
Official Employee

Message 12 of 15
3,964 Views
Solution

JAVA_EXPLOIT_GROUP is a generic name of a Zeus Botnet variant that exploits Microsoft OS & Java vulnerabilities to install a multi-purpose trojan.  

 

Uninstalling Java is unfortunately not sufficient if the malware was already installed. Please also make sure your windows machine is patched and you have also updated Adobe Flash.  However, I dont see any new activity for your IP; last seen was 11/20 at 10:20 EST.

 

Also have you tried Microsoft Security Essentials?  http://windows.microsoft.com/en-US/windows/security-essentials-download

 

 

Lastly there is lot of information available for Java vulnerabilties...here are two:

http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/

http://www.cso.com.au/article/442705/dorkbot_java_weapon_hit_3_5m_pcs_30_days/?fp=4&fpid=959105

 

- Nirmal 

Comcast

National Engineering & Technical Operations




Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark it as a solution!solution Icon
14 REPLIES
Posted by
Gold Problem Solver

Message 2 of 15
4,222 Views

Some Java exploits are cross-platform. It would be best to check with Comcast Security Assurance before writing this off as a false positive: 1-888-565-4329 6am-2am Eastern time, http://security.comcast.net/get-help/contact-comcast-security.aspx.

Posted by
Frequent Visitor

Message 3 of 15
4,139 Views

What does "Java_Exploit_Group" mean on the AmiBotted site. So far the only reference I have found to this string in the internet is my earlier posting on the topic. If someone knows, please say so.

Posted by
Silver Problem Solver

Message 4 of 15
4,135 Views

Hello,

Doing some research on the web it is a virus. Here are some steps you can try to fix it but there is no guarantees. You might find some better maleware programs that can remove the virus that might be better.

 

1. delete java cache:
http://www.java.com/en/download/help/plu…


2. read & run:
http://www.bleepingcomputer.com/tutorial…


3. run free malwarebytes.

Posted by
Frequent Visitor

Message 5 of 15
4,118 Views

I have Java installed on only 1 computer and that is the latest installation with all updates. I also have Norton AV Installed and run it regularly. There are no symptoms of virus infoection on any of my computers. And whay would the so-called botnet detector identify a virus as a bot - they are very different things. I also run Secunia PSI, which is the recommendation from the bleepingcomputer page you cited.

 

Where did you find the description of JAVA_Exploit_Group?

Posted by
Regular Contributor

Message 6 of 15
4,085 Views

When you had Java installed, what version was it? There have been a number of zero-day security holes with recent releases (and the older ones).

 

Posted by
Gold Problem Solver

Message 7 of 15
4,074 Views

AlexRetired2 wrote: ... whay would the so-called botnet detector identify a virus as a bot - they are very different things. ...

Comcast's system does not detect viruses or bots. It detects IP traffic to/from hosts it believes to be part of a botnet. Please see http://forums.comcast.com/t5/Security-and-Anti-Virus/Comcast-Announces-Constant-Guard-security-progr....

Posted by
Regular Contributor

Message 8 of 15
4,041 Views

BruceW wrote:

AlexRetired2 wrote: ... whay would the so-called botnet detector identify a virus as a bot - they are very different things. ...

Comcast's system does not detect viruses or bots. It detects IP traffic to/from hosts it believes to be part of a botnet. Please see http://forums.comcast.com/t5/Security-and-Anti-Virus/Comcast-Announces-Constant-Guard-security-progr....


I suspect AlexRetired2 is talking about the amibotted.comcast.net site that does run a script against your PC when you access it and click on the scan button. Someone there likely included detection for versions of Java prior to Java 6 Update 37 and Java 7 Update 9.

 

Posted by
Gold Problem Solver

Message 9 of 15
4,038 Views

Lunkwill wrote: ... the amibotted.comcast.net site that does run a script against your PC when you access it and click on the scan button. ...

No, sorry, AmIBotted does not scan your system. It merely pulls up whatever information the botnet detection system has on your internet connection. The data is historical, not real-time.

 

Also note that the name the system reports is not necessarily the name of a piece of malware, it is the name of a botnet, or a botnet family. See the sample page at https://amibotted.comcast.net/images/preview.png and the description of the detection system.

Posted by
Official Employee

Message 10 of 15
4,020 Views

BruceW wrote:

Lunkwill wrote: ... the amibotted.comcast.net site that does run a script against your PC when you access it and click on the scan button. ...

No, sorry, AmIBotted does not scan your system. It merely pulls up whatever information the botnet detection system has on your internet connection. The data is historical, not real-time.

 

Also note that the name the system reports is not necessarily the name of a piece of malware, it is the name of a botnet, or a botnet family. See the sample page at https://amibotted.comcast.net/images/preview.png and the description of the detection system.


I can confirm this is 100% correct. The site does not scan you - it looks your IP up in our malware database.

JL
Internet Services


Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark it as a solution!solution Icon
Posted by
Frequent Visitor

Message 11 of 15
3,935 Views

I checked amibotted again and found a new entry for the same "Java_Exploit_Group", so I called Comcast security and they were able to confirm that they have no way of identifying the source of this report beyond an ip address and no information as to what "Java_Exploit_Group" means. The tech, who was trying very hard to help, suggested that I scan the web for the string "Java_Exploit_Group". Unfortunately, scanning for this string returns ONLY my correspondence on this forum on this subject. There appears to be no such thing as "Java_Exploit_Group" anywhere else on the internet (itself unusual).

 

There was only 1 device on at the time given on the timestamp for amibotted, which I verified by checking the event log for each computer. That computer did have Java SE7 Update 09 installed, which is the latest version as of today. To resolve this I uninstalled Java from the one machine that had it and once again scanned it throughly with Norton and Bitdefender for any signs of malware. If the amibotted entry shows up again I will report it here as a definite false positive.

 

If anyone can come up with an Authoritative explanation for amibotted's "Java_Exploit_Group" please report it here.

 

If this keeps happening the alternative is, of course, a different ISP.

Posted by
Official Employee

Message 12 of 15
3,965 Views
Solution

JAVA_EXPLOIT_GROUP is a generic name of a Zeus Botnet variant that exploits Microsoft OS & Java vulnerabilities to install a multi-purpose trojan.  

 

Uninstalling Java is unfortunately not sufficient if the malware was already installed. Please also make sure your windows machine is patched and you have also updated Adobe Flash.  However, I dont see any new activity for your IP; last seen was 11/20 at 10:20 EST.

 

Also have you tried Microsoft Security Essentials?  http://windows.microsoft.com/en-US/windows/security-essentials-download

 

 

Lastly there is lot of information available for Java vulnerabilties...here are two:

http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/

http://www.cso.com.au/article/442705/dorkbot_java_weapon_hit_3_5m_pcs_30_days/?fp=4&fpid=959105

 

- Nirmal 

Comcast

National Engineering & Technical Operations




Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark it as a solution!solution Icon
Posted by
Frequent Visitor

Message 13 of 15
3,902 Views

Thank you very much - now I know what botnet type to look for. The machines are all set to autoupdate with Microsoft and Flash is also checked as well.

 

BTW - I have two devices on my lan that could possibly be creating a positive. One is the Linksys Squeezebox Radio and the other is a Roku 2 XS. Have there been any reports of either of these devices having a problem? I'm pretty sure the Squeezebox runs Linux and maybe the Roku as well.

 

Again, thanks.

Posted by
Official Employee

Message 14 of 15
3,684 Views

I have not seen any malware that target/exploit Roku or Logitech* Squeezebox devices.  You are correct Roku is linux....but Squeezebox runs on Squeeze OS which is Logitech's own OS written in Lua.

 

- Nirmal 

Comcast

National Engineering & Technical Operations

 




Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark it as a solution!solution Icon
Posted by
Frequent Visitor

Message 15 of 15
3,664 Views

Thanks for the information. You're so far the best source of information I've found here. Congrats!

 

PS: say hello to Garfield