This concerns a Remote Access Trojan (RAT) that infiltrated a brand-new router that I installed as part of a new internet provider service. The router was determined to have a RAT in it see (My Network Investigation: Unraveling Mysterious Traffic, also part2.html and part3.html at that address). This RAT implants itself into the router and continually tries to reach out to every mac address on the network. In linux, a firewall is able to catch it and reject it. However the traffic is heavy at times as there are many devices. I am trying to determine if AVG is catching it at the port and denying it as Linux does. Do I need a rule added? specifically it is port 12458. It sends streams of small packets using a system called Steganography. This router and modem have been removed from the network and normal activity has resumed. This may be a routinely blocked address or not, so far there has been no confimaration from anyone on how to see if it is being blocked.
Here are the supporting links related to the RAT (Remote Access Trojan) discovery process. The information is divided into three parts, corresponding to the three different computers where I observed inbound activity:
- www.bazinta.com/part2.html — from a system running Fedora 42
- www.bazinta.com/part3.html — collected on a Windows machine, which includes a substantial amount of data capture and conclusive evidence identifying specific elements
Hopefully, the software here will render these links as clickable.
I’m planning a data analysis in the near future to examine the captured information more thoroughly and identify any additional details that may be uncovered. This RAT is particularly stealthy, blending in with normal traffic, so its detection was fortunate. Unfortunately, there appears to be limited interest in this threat so far, which is concerning—such disinterest only increases the likelihood that others may be affected by it.
Well seems nobody really reads forum. Here is an update though. Network Security Incident Report - SAX2V1R Router Analysis and Router Attack Forensics - SAX2V1R I have taken my windows computer with AVG a on it offline because I could not get confirmation that it is resistant to this threat. The router is SAX2V1R Sercomm through Spectrum. If you have one, watch these ports for the activity outlined here.