Page 1 of 2 12 LastLast
Results 1 to 20 of 28

Thread: Virus Infection on medium sized corporate network

  1. #1
    Junior Member
    Join Date
    Dec 2009
    Location
    Melbourne, VIC
    Posts
    204
    Thanks
    73
    Thanked 19 Times in 14 Posts
    Rep Power
    183
    Reputation
    102

    Default Virus Infection on medium sized corporate network

    Hey guys,
    I'm struggling a bit with a virus problem at work. We are using McAfee with an EPO orchestra to manage all of the hosts. Normally it's pretty good but atm we have a bit of an epidemic that McAfee is not handling at all well. We scheduled a network wide scan last night and found about 20 different machines that are infected with about 30 virus's. The most common of which is:

    W32/Autorun.worm.h

    Generic.dx!und

    Generic Rootkit.g

    Now I have no problem with removing them from a PC but they seem to re-appear within 30 minutes, obviously they are using some sort of vulnerability to penetrate our systems but I can't determine what it is. does anyone know how these virus's would typically enter a system that has no local account other then the systems administrator account which is password protected, all users have domain accounts which are limited to users which can not execute programs other then those which have been pre-installed by a network administrator, they can also not make system changes. The other issue is if I remove all these virus's from our local pc's we are an international company and we administer several countries from our site so the virus could very well be coming from overseas. Also Autorun has been disabled on USB drives.

    I know there isn't much information to go on there but I can't really give any logs or netstats without breaching company policy.
    Last edited by Mokilok; 25-11-10 at 04:54 PM.



Look Here ->
  • #2
    Senior Member
    mickstv's Avatar
    Join Date
    Jan 2010
    Age
    51
    Posts
    4,173
    Thanks
    2,225
    Thanked 2,404 Times in 1,392 Posts
    Rep Power
    681
    Reputation
    18426

    Default

    I don't know it this link might be helpful but will post it anyway







    I know this will give you info on the first virus only but it's good reading and it might give you some ideas on how its re occuring.




    .
    Last edited by mickstv; 26-11-10 at 08:45 AM. Reason: spelling etc only

  • The Following 2 Users Say Thank You to mickstv For This Useful Post:

    Mokilok (25-11-10)

  • #3
    Senior Member
    mickstv's Avatar
    Join Date
    Jan 2010
    Age
    51
    Posts
    4,173
    Thanks
    2,225
    Thanked 2,404 Times in 1,392 Posts
    Rep Power
    681
    Reputation
    18426

    Default

    Does the network scan run on all hosts simultaneously or one at a time ?



    Mickstv

  • #4
    Junior Member
    Join Date
    Dec 2009
    Location
    Melbourne, VIC
    Posts
    204
    Thanks
    73
    Thanked 19 Times in 14 Posts
    Rep Power
    183
    Reputation
    102

    Default

    Quote Originally Posted by mickstv View Post
    Does the network scan run on all hosts simultaneously or one at a time ?



    Mickstv
    Simultaneously across all hosts and servers. However, our scans cover only Australia, Thailand, Singapore. They could still come from China, Germany, USA without our knowledge. Company policy has prevented us from having our own firewall at our site until now.
    Last edited by Mokilok; 25-11-10 at 08:35 PM.

  • #5
    Senior Member
    mickstv's Avatar
    Join Date
    Jan 2010
    Age
    51
    Posts
    4,173
    Thanks
    2,225
    Thanked 2,404 Times in 1,392 Posts
    Rep Power
    681
    Reputation
    18426

    Default

    yeah I was going to say if you could isolate one of the computers and clean then load a firewall with restrictive access you could see everything thats trying to gain access and hopefully locate the source that way.

    The reinfection could still be internal. It would only take the antivirus to miss one file across the whole network to reinfect.

    McAfee Labs Stinger might be of some use it might find the problem better then the full McAfee package ? depends on company policy.




    Mickstv
    Last edited by mickstv; 25-11-10 at 09:35 PM.

  • The Following User Says Thank You to mickstv For This Useful Post:

    Mokilok (25-11-10)

  • #6
    Junior Member
    Join Date
    Dec 2009
    Location
    Melbourne, VIC
    Posts
    204
    Thanks
    73
    Thanked 19 Times in 14 Posts
    Rep Power
    183
    Reputation
    102

    Default

    Quote Originally Posted by mickstv View Post
    yeah I was going to say if you could isolate one of the computers and clean then load a firewall with restrictive access you could see everything thats trying to gain access and hopefully locate the source that way.

    The reinfection could still be internal. It would only take the antivirus to miss one file across the whole network to reinfect.

    McAfee Labs Stinger might be of some use it might find the problem better then the full McAfee package ? depends on company policy.




    Mickstv
    Good idea, I'll try that tomorrow. Thanks Mick, Still if anyone knows what vulnerabilities these viruses exploit in order to gain access to a system please let me know.

  • #7
    Senior Member
    mickstv's Avatar
    Join Date
    Jan 2010
    Age
    51
    Posts
    4,173
    Thanks
    2,225
    Thanked 2,404 Times in 1,392 Posts
    Rep Power
    681
    Reputation
    18426

    Default

    EDIT if you use stinger it's like every antimalware package be careful what it delete's i've been caught in the past. I believe stinger has an option to report only so you should be able to check files first. But I wouldn't use Stinger as my first option but if you do, use in on a single pc disconnected from the network.



    So I would recomend the firewall option first and see what you find.



    Mickstv
    Last edited by mickstv; 26-11-10 at 04:17 PM. Reason: adding to post

  • #8
    Senior Member
    LeroyPatrol's Avatar
    Join Date
    Jan 2008
    Location
    N.E. Vic
    Posts
    16,229
    Thanks
    3,528
    Thanked 4,710 Times in 2,797 Posts
    Rep Power
    1669
    Reputation
    46551

    Default

    Do you have virus protection on your servers as well? We had a worm at work and it was exploiting a flaw in windows. You need to make sure you have all your machines patched but also do a search to see if you can find a windows patch for your worm. We then had to run around patching and scanning machines 1 by 1 and finally got on top of it.
    Good luck.

    Leroy
    XCRUISER HDSR600HD twin sat and terrestrial receiver $OOS *
    XCRUISER HDSR385 Avant - sold out$OOS UltraPlus DVB-T and DVB-S2 tuners $49 Remotes $OOS

  • The Following 2 Users Say Thank You to LeroyPatrol For This Useful Post:

    Mokilok (26-11-10)

  • #9
    Member baseel's Avatar
    Join Date
    Jan 2008
    Location
    People’s Republic of NSW
    Posts
    257
    Thanks
    53
    Thanked 87 Times in 51 Posts
    Rep Power
    215
    Reputation
    464

    Default

    G'day Mokilok
    may I suggest the following steps:
    isolate/remove those infected PC's from the rest of the network.
    scan user's home folders( if you have such) and network shared drives.
    you can try to trace the time/origin of the infection by looking through your Mcafe virus scan logs.
    one or more of the Trojans you listed had to be removed manually, so reimaging those infected PC's can be a good thing to do.
    Good luck
    cheers
    "People who love sausage and people who believe in justice should never watch either of them being made" Otto Bismark

  • The Following 2 Users Say Thank You to baseel For This Useful Post:

    Mokilok (26-11-10)

  • #10
    Junior Member
    Join Date
    Dec 2009
    Location
    Melbourne, VIC
    Posts
    204
    Thanks
    73
    Thanked 19 Times in 14 Posts
    Rep Power
    183
    Reputation
    102

    Default

    Quote Originally Posted by LeroyPatrol View Post
    Do you have virus protection on your servers as well? We had a worm at work and it was exploiting a flaw in windows. You need to make sure you have all your machines patched but also do a search to see if you can find a windows patch for your worm. We then had to run around patching and scanning machines 1 by 1 and finally got on top of it.
    Good luck.

    Leroy

    Thanks for the response leeroy, Yes i have anti virus on the servers as well as all pc's in the business. All managed from the EPO which displays any machines that become non compliant, as a result I can be assured that all anti-virus on pc's and servers are up to date.

  • #11
    Junior Member
    Join Date
    Dec 2009
    Location
    Melbourne, VIC
    Posts
    204
    Thanks
    73
    Thanked 19 Times in 14 Posts
    Rep Power
    183
    Reputation
    102

    Default

    Quote Originally Posted by baseel View Post
    G'day Mokilok
    may I suggest the following steps:
    isolate/remove those infected PC's from the rest of the network.
    scan user's home folders( if you have such) and network shared drives.
    you can try to trace the time/origin of the infection by looking through your Mcafe virus scan logs.
    one or more of the Trojans you listed had to be removed manually, so reimaging those infected PC's can be a good thing to do.
    Good luck
    cheers
    Thanks for the suggestion but that's impossible, I can't isolate that many PC's at once it would hinder productivity. I'll have to find another solution for cleaning this mess while the computers are in use. Thanks anyway.

  • #12
    Member
    Join Date
    Jan 2008
    Location
    Vic
    Posts
    334
    Thanks
    18
    Thanked 20 Times in 15 Posts
    Rep Power
    211
    Reputation
    143

    Default

    If they reappear on the next scan it could be that the virus checker is failing to clear the virus or else they are FALSE positives (especially those generic ones)

    Best bet is to go to a machine boot off CD/DVD and clean the machine until no viruses are detected by multiple online systems. Also do a rootkit scan to check for anything else.

    then put it back onto the network.
    don't run anything just login into the network with a normal user level login
    then run virus scanner repeatedly to see if it get re-infected

    Odds are it won't

    Post thought. I also use port monitoring software to see what ports are open on the machine or use netstat -a etc to see whats opening ports. To transmit to another machine some ports need to be opened so it might give you an idea on which ports to lock out.
    Last edited by ocd_csv; 26-11-10 at 08:56 AM.

  • #13
    Senior Member
    Philquad's Avatar
    Join Date
    Jan 2008
    Location
    nelson bay
    Age
    55
    Posts
    3,872
    Thanks
    192
    Thanked 1,305 Times in 783 Posts
    Rep Power
    665
    Reputation
    16938

    Default



    but if you looked at hidden os files on the drive you'll find autorun.inf there

  • #14
    Member baseel's Avatar
    Join Date
    Jan 2008
    Location
    People’s Republic of NSW
    Posts
    257
    Thanks
    53
    Thanked 87 Times in 51 Posts
    Rep Power
    215
    Reputation
    464

    Default

    Hi Mokilok
    Is re imaging those infected PC 's a valid option for you?
    "People who love sausage and people who believe in justice should never watch either of them being made" Otto Bismark

  • #15
    Junior Member
    Join Date
    Dec 2009
    Location
    Melbourne, VIC
    Posts
    204
    Thanks
    73
    Thanked 19 Times in 14 Posts
    Rep Power
    183
    Reputation
    102

    Default

    Quote Originally Posted by Philquad View Post


    but if you looked at hidden os files on the drive you'll find autorun.inf there
    that's right you will find an autorun.inf we infact have them on every root directory and share on 3 servers now along with 20 pc's which will all also have an autorun in root directories, I can remove the virus's and in most cases they have been removed but without finding the original way they penetrated our systems I won't be able to prevent it from happening again.

  • #16
    Junior Member
    Join Date
    Dec 2009
    Location
    Melbourne, VIC
    Posts
    204
    Thanks
    73
    Thanked 19 Times in 14 Posts
    Rep Power
    183
    Reputation
    102

    Default

    Quote Originally Posted by baseel View Post
    Hi Mokilok
    Is re imaging those infected PC 's a valid option for you?
    Hi Baseel,
    It's not unfortunately, we only keep image backups of critical systems. We do backup data but not 1:1 Images of systems, that would just be far too large with the kind of files my co-workers produce (30-40gig files). I've been looking into WDS and MDT a little as they seem to have a fairly efficient method of imaging but before I started here the systems were not really imaged.

  • #17
    Junior Member
    Join Date
    Dec 2009
    Location
    Melbourne, VIC
    Posts
    204
    Thanks
    73
    Thanked 19 Times in 14 Posts
    Rep Power
    183
    Reputation
    102

    Default

    Can I get some opinions here guys, Is a nameless session dangerous? I close them off but they keep re-opening. Also seems to be a few suss objects in netstat.
    When I check the two open files they aren't listed, there is no files open that have nameless connections.

  • #18
    Senior Member
    Philquad's Avatar
    Join Date
    Jan 2008
    Location
    nelson bay
    Age
    55
    Posts
    3,872
    Thanks
    192
    Thanked 1,305 Times in 783 Posts
    Rep Power
    665
    Reputation
    16938

    Default

    autorun eater should run in the background
    it comes from flash drives
    so much for antivirus eh?
    although, my nod32 picks it up everytime my worker puts her silly usb stick in
    shes always getting it
    they has a infected box

  • #19
    Junior Member
    Join Date
    Dec 2009
    Location
    Melbourne, VIC
    Posts
    204
    Thanks
    73
    Thanked 19 Times in 14 Posts
    Rep Power
    183
    Reputation
    102

    Default

    Quote Originally Posted by Philquad View Post
    autorun eater should run in the background
    it comes from flash drives
    so much for antivirus eh?
    although, my nod32 picks it up everytime my worker puts her silly usb stick in
    shes always getting it
    they has a infected box
    We have autorun disabled on all pc's and servers network wide. These virus's are getting in somehow without autorun, they are placing the autorun.inf's there but they aren't being activated by usb sticks or mounting UNC shares.

  • #20
    Member baseel's Avatar
    Join Date
    Jan 2008
    Location
    People’s Republic of NSW
    Posts
    257
    Thanks
    53
    Thanked 87 Times in 51 Posts
    Rep Power
    215
    Reputation
    464

    Default

    [QUOTE=Mokilok;355914]Hi Baseel,
    It's not unfortunately, we only keep image backups of critical systems. We do backup data but not 1:1 Images of systems, that would just be far too large with the kind of files my co-workers produce (30-40gig files). I've been looking into WDS and MDT a little as they seem to have a fairly efficient method of imaging but before I started here the systems were not really imaged.[/QUOTE

    Hi Mokilok
    so if get this right, there are work related files/ data that the users does keep on their workstations?
    it's time consuming to clean each PC's and making sure that the infection doesn't re occur, so re imaging them will be faster and more efficient.
    Have a look at this scenario:
    Get one of those infected PC's, copy the data on it (if any) to a external HDD (not networked one)
    Re install OS, drivers, office, work software, updates, corporate setting, etc..., use boot with a network boot disk to a shared network drive and use an ghost32.exe to ghost the C: partition.
    The image created should be your SOE(Standard Operating Environment) which you can use to reimage any PC you have( providing they have similar hardware).
    As for imaging any PC, just boot the PC with the network boot disk, map to where the original image (SOE) is located and re ghosted it.
    Re imaging a PC with a 4.7 GB image takes about 10.-15 minutes over the network.
    Sorry for the long post, but I only trying to help.
    Cheers
    "People who love sausage and people who believe in justice should never watch either of them being made" Otto Bismark

  • The Following User Says Thank You to baseel For This Useful Post:

    Mokilok (26-11-10)

  • Page 1 of 2 12 LastLast

    Bookmarks

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •