RookIE/1.0 Infection

Joined
Jun 20, 2018
Messages
2
OS
Windows 10
Antivirus
Malwarebytes
#1
My IT detected malicious traffic coming from my laptop at work but can't help me directly as it's not a work desktop. I followed my IT's recommendation to scan using anti-virus and malware sw, but the malicious traffic is still occurring. Defender, Malawarebytes, and Cisco Amp found nothing. Spybot found some and quarantined. Clamwin found one.

Here is the info from my IT:
> ISAM has detected an infected system on the network. Information
> about
> the system can be found above. The threat signature detected is
> MALWARE-CNC User-Agent known malicious user-agent string RookIE/1.0
> (1:18388:11), and is detected based on traffic coming from the system
> in question with a known malicious user-agent string. Please perform
> a
> malware scan of the system using something such as Windows Defender
> or
> Malwarebytes Anti-Malware Tool to detect and remove the malicious
> files.
I attached several logs, including the FRST ones.
For whatever's worth, I also scanned my registry for "RookIE" and found that my recent docx files all contained that string.
Thank you for your assistance.
 
Operating System
Windows 10
Are you using a 32-bit or 64-bit operating system?
64-bit (x64)
Infection date and initial symptoms
Possibly on June 13, 2018. I was made aware by my work IT, but I did not notice anything.
Current issues and symptoms
My IT mentioned the malware is trying to send information.
Steps taken in order to remove the infection
Windows Defender, Malwarebytes, Cisco Amp, Spybot, Clamwin
Logs added to Help Request
FRST.txt, Addition.txt, I've also uploaded logs from other scans that I've performed

Attachments

Likes: Rebsat

TwinHeadedEagle

Removal Expert
MalwareTips Staff
Joined
Mar 8, 2013
Messages
22,177
OS
Windows 10
Antivirus
ESET
#2
Hello,


I do not see signs of malware in your logs. You'll have to discuss this with your IT.
 
Joined
Jun 20, 2018
Messages
2
OS
Windows 10
Antivirus
Malwarebytes
#3
Hello,


I do not see signs of malware in your logs. You'll have to discuss this with your IT.
Here is some more info on how it was detected.

The Snort rule that the traffic matching on is as follows:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string RookIE/1.0"; flow:to_server,established; content:"User-Agent|3A| RookIE/1.0|0D 0A|"; fast_pattern:eek:nly; http_header:; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-18388; classtype:trojan-activity; sid:18388; rev:11; gid:1; )

• The traffic is coming from campus IP space and going to an external IP
• The user-agent contains the string "RookIE/1.0"