9 Replies Latest reply on Oct 17, 2017 8:23 AM by Intel Corporation

    Intel PROSet/Wireless Zero Configure Service initiating traffic to Botnet IP

    Kiran.Vyas

      Hi All,

       

      I'm observing few of the PC's in my client network is trying to communicate wServoceith a Botnet IP - 208.91.197.27 which belongs to Confluence Networks Inc (US).

      When I check with the Process and source of the traffic, surprisingly I found out that, it is generating from the location Intel PROSet/Wireless Zero Configure Service/ZeroConfigService.exe.

       

      I don't know why it is trying to connect to an external IP.

       

      Have anyone of you observed this in your environment, can anyone help me to find out a solution for this?

       

      Thanks in Advance,

       

      Kiran Vyas

       

        • 1. Re: Intel PROSet/Wireless Zero Configure Service initiating traffic to Botnet IP
          Intel Corporation
          This message was posted on behalf of Intel Corporation

          Hi Thank you very much for contacting the Intel® communities. We will do our best in order to try to fix this problem.
           
          In order for us to provide the most accurate information about this issue, I will transfer the case to the proper department. An agent will further assist you with this matter.
           
          Regards,
          Alberto R
           

          • 2. Re: Intel PROSet/Wireless Zero Configure Service initiating traffic to Botnet IP
            Intel Corporation
            This message was posted on behalf of Intel Corporation

            Hello Kiran,

            We understand you have identified an issue with the ZeroConfigService.exe on several of your systems trying to communicate with a third-party IP. Let me assure you this is not an expected behavior.

            In order to better assist you, we would like some more information:

            1. Brand and model of the affected computers.
            2. Wireless adapter models, and current driver versions in use.

            We look forward to hearing back from you.

            Best regards,
            Carlos A.

            • 3. Re: Intel PROSet/Wireless Zero Configure Service initiating traffic to Botnet IP
              Kiran.Vyas

              Hi Carlos,

               

              Please find the below answers.

               

              1. Brand and model of the affected computers.

                   HP EliteBook 820

                  

              2. Wireless adapter models, and current driver versions in use.

                   Intel (R) Dual Band Wireless-N 7260

                   Version: 16.10.0.5

               

              Please note: This details is from only one of the laptop which we observed the traffic.

               

               

              Thanks & Regards,

              Kiran Vyas

              • 4. Re: Intel PROSet/Wireless Zero Configure Service initiating traffic to Botnet IP
                praveen_p

                Hi Carlos,

                 

                Please note, the Dst port is 443 (ssl) and hence we are unable to see the content of the packet.

                https://exchange.xforce.ibmcloud.com/ip/208.91.197.27

                 

                Regards,

                Praveen P

                • 5. Re: Intel PROSet/Wireless Zero Configure Service initiating traffic to Botnet IP
                  Intel Corporation
                  This message was posted on behalf of Intel Corporation

                  Hello Praveen,

                  As we mentioned before, the Intel® PROSet/Wireless Zero Configure Service does not communicate with external IPs. 

                  This service helps maintain reliable WiFi connections in areas with radio frequency difficulties by monitoring the link status and automatically invoking the adapter's driver, if it is down, to scan for a profile match and reconnect.

                  In this case, we suspect you may be dealing with a Trojan or malware infection mascarating as our service. While we don't provide direct virus/malware removal assistance, we strongly recommend checking your systems for infection.

                  From our end, we can recommend performing a clean installation of your wireless drivers. However, this may not be entirely effective if you are indeed dealing with an infection:

                  1. Download and save our latest Intel® PROSet/Wireless Software for your adapter.
                  2. Under Programs and Features in the Control Panel, uninstall any instance of the "Intel® PROSet/Wireless Software." When prompted, choose to "discard settings."
                  3. Go to the Device Manager > Network Adapters > Right click on your Intel(R) Dual Band Wireless-N 7260 and uninstall it. Make sure to select the option to "Delete the driver software for this device."
                  4. Clear out your temporary files: Press the Windows* Key + R to open the run box. Type Cleanmgr.exe and press OK. Here you will need to make sure Temporary Files are checked, you may uncheck everything else (unless you're ok with the extra wait) and press OK.
                  5. Install the Intel® PROSet/Wireless Software that was downloaded back in step one.
                  6. Reboot your computer.

                  We hope this information helps.

                  Best regards,
                  Carlos A.

                  • 6. Re: Intel PROSet/Wireless Zero Configure Service initiating traffic to Botnet IP
                    praveen_p

                    Hi Carlos,

                     

                    Thanks for the update.

                     

                    Even my initial understanding was that this could be a case of malware/trojan. However, I investigated the .exe which is initiating the connection (intel.exe) and also upload to some of the malware analysis tools. All the result showed its clean and no suspicious/strange behavior observed.

                     

                    Lets assume, that malware is mascarating the intel service, in that case we should have 2 services with the same name, right? However, we are seeing only 1 service.

                     

                    Will disabling Intel® PROSet/Wireless Zero Configure Service, cause any issue in using the Wifi?

                     

                    Regards,

                    Praveen P

                    • 7. Re: Intel PROSet/Wireless Zero Configure Service initiating traffic to Botnet IP
                      Intel Corporation
                      This message was posted on behalf of Intel Corporation

                      Hello Praveen,

                       

                      We can't promise that disabling this service won't cause issues. However, if this is indeed an infection, the actual service may not be active already. So go ahead and disable, or remove it altogether. Depending on your OS version, you may be fine with just the driver.

                       

                      If you start experiencing issues afterwards, simply follow the clean installation method described earlier.

                       

                      Are you able to see the path that this service is running from?

                       

                      Best regards,

                      Carlos A.

                      • 8. Re: Intel PROSet/Wireless Zero Configure Service initiating traffic to Botnet IP
                        Kiran.Vyas

                        Hi Carlos,

                         

                        I have tried to unistalled the Intel® PROSet/Wireless Software from my laptop and installed the new version (Version 20.x) as instructed by you previously. But after that my WiFi was not working, So I had to remove the software which I downloaded from the Intel website. And I've re installed the WiFi software which is downloaded from Lenovo software portal and that automatically installed the Intel® PROSet/Wireless Software version 16.x.

                         

                        So Currently I have downgraded to the version 16.x and still I could observe the suspicious traffic towards the previously mentioned Botnet C&C IP.

                         

                        Expecting your reply on this.

                         

                        Regards,

                        Kiran Vyas

                        • 9. Re: Intel PROSet/Wireless Zero Configure Service initiating traffic to Botnet IP
                          Intel Corporation
                          This message was posted on behalf of Intel Corporation

                          Hello Kiran.Vyas,

                          We do not provide virus removal support. As mentioned before, this is not the designed behavior of this software, depending on the type of infection a simple driver reinstall may not get rid of the problem. Our best recommendation in this case will be to perform a back up of any important data and then perfom a clean installation of the operating system.

                          The drivers provided on our website are generic versions, which do not take into account any personalization and feature changes performed by your computer manufacturer. Because of this, your OEM drivers, even if older, are always our main recommendation.

                          Best regards,
                          Carlos A.