Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Virus On Network

from [Padilla_Roger__Jr/cpslo_employee1] Network Security [Permanent Link]
Subject: RE: Virus On Network
Date: Fri, 8 Oct 2004 21:38:07 -0700 
Joe,
     Actually we experienced something very similar at the University I work
for.  In this case it was Gaobot -- the bot viruses seem to behave more less
the same.  What I learned about these bots is they typicaly use a function that
enumerates user accounts on servers and workstations alike.  Completely patched
and virus protected machines still managed to get infected -- Restrictanonymous
needs to be set to a value of 2 in the registry so that anonymous enumeration
can not occurr.  You could also run Microsoft Baseline Security Analyzer to
verify this and then use either the registry (my preference) or the local
security policy.

~~~~~~~~~~~~~~~~~~~~~~~~~~~
Roger Padilla, Jr.
Cal Poly SLO
ITS/PS3
ropadill@calpoly.edu
~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thanks everyone for all the help we finally figured out what was going on.

About 10 machines on our network were infected with a new variant of
w32/sdbot.worm virus, and were generating a huge amount of SYN packets to port
445 on our network, the virus also seemed to be scanning our network
incrementaly sending the packets to invalid adress on our subnet and causing
our router to utilize 100% of its cpu. The bad part is we had a brand new out
of the box server, installed windows 2000 SP4, everysingle M$ patch, Adaware
Pro, and Symantec 9.0 with latest DATs that was infected when we put it on the
network. After sending a copy of the suspected file to Symantec they were able
to provide us with a new DAT file in a few hours. I hope no one else sees this
thing it was a b*tch to clean :)


Thanks,

Joe Cervantes


-----Original Message-----
From: Roger Padilla Jr  [mailto:ropadill@calpoly.edu]
Sent: Fri 10/8/2004 12:29 PM
To:   'Kern, Tom'; ':: gary ::'
Cc:   focus-virus@securityfocus.com
Subject:      RE: Virus On Network
Use Symantec's Roaming client feature for Laptop users. 


------------------------------------------------
Roger Padilla, Jr.
Cal Poly
ITS/PS3
Network Analyst
Office: (805) 756-5294
Email: mailto:ropadill@calpoly.edu
------------------------------------------------ 


-----Original Message-----
From: Kern, Tom [mailto:tkern@CHARMER.COM] 
Sent: Friday, October 08, 2004 8:47 AM
To: :: gary ::
Cc: focus-virus@securityfocus.com
Subject: RE: Virus On Network

HOW WOULD YOU AUTOMATE THIS?

aLSO, WHAT DO YOU DO TO POROTECT LAPTOP USERS ON THE ROAD WHO CAN'T GET TO
YOUR PARENT SERVER?
DO YOU ENABLE CONTINIOUS LIVE UPDATE?
THANKS

-----Original Message-----
From: :: gary :: [mailto:gary.bright@cisd.panasonic.co.uk]
Sent: Friday, October 08, 2004 7:40 AM
Cc: focus-virus@securityfocus.com
Subject: Re: Virus On Network


Symantec also release Raqid Release Virus Definitions, I download these
every hour and usually I get a different build each time, I can help you
automate this when things have charmed down, you can down the latest here

http://securityresponse.symantec.com/avcenter/beta.download.html

They might catch something

One last tip is download the new version of Autoruns from sysinternals 5.01

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

This will allow you to see every process that is started at boot up, (one of
the options is to hide official Microsoft process, this will allow you see
what 3rd party programs get started, do a search on the Internet for any
process you are not 100% sure on.

I know you probably running around like a blue ar5e fly but do try to
document as much as you can.

Let us know how you get on

Gary



Tom Burns wrote:


These are the steps I coiuld take:
1. Figure out which computer its coming from (even if it means shutting 
down everything and brining them up one by one) 2. If you find a 
problem child then:
    a. Take it off the network
    b. If it's a computer you need to keep running:
            I. Install Adaware and SB S&D and run them
            II. Scan for viruses.
     c. If its not a computer you need to keep running:
            I. Copy off any files you need.
            II. Whipe and reload from scratch

Thomas Burns

-----Original Message-----
From: Fook Ming EE [mailto:eeefm@singnet.com.sg]
Sent: Wednesday, October 06, 2004 11:53 AM
To: 'Joe Cervantes'; focus-virus@securityfocus.com
Subject: RE: Virus On Network

It appears that "someone" could be internal or a machine(s) is being 
hijacked by hackers have installed some kind of scanning tools to find 
vulnerabilities in your networks for further exploitation.

You got to find the source where the scanning is from (e.g., by 
sniffing the network traffics, IDS, etc). Next step would be you need 
to isolate the machines.

To find the source these are some hints:

- Look at your network diagram and subnets. I am sure the router logs 
would be able to tell you the subnet that causes the router to go off.
- Check server logs to identify any malicious activities.
- Virus attacks don't usually demonstrate this type of behavior....you 
network might be hacked.
- Look at your network management tools that may be able to tell you 
something for example suddenly there is a surge in traffic on a 
particular Ethernet port.
- Study your network perimeter security again to see where are the 
in/out of network traffics.
    - Look if there is unwanted guest from VPN/Remote dial-in
    - Or anybody in the office running such tools downloaded from the

net.

- Please note that the scanning might come from external.
    - if external you got to identify the source and block it (the
source IP) as an             interim solutions. At later stage you
got to
re-look at your firewall     policies to prevent such things from
happening in future. 



Finally, you may want to prepare forensic to capture all the traces and 
evidence of attacks for legal use.

All in all this is a lesson learned to be captured and where overall 
security need to "re-engineer" to improve and prevent similar things 
from happening.

Also make sure that the entire incident response processes are adequate 
and in place to handle such security incident.

Also make sure that all your patches for router, servers, etc are in 
place.


Continue to seriously monitor your network for a duration.....they 
might come back.....


Hope this help!

Cheers,
FM


-----Original Message-----
From: Joe Cervantes [mailto:jcervantes@senecaco.com]
Sent: Wednesday, October 06, 2004 11:09 PM
To: focus-virus@securityfocus.com
Subject: Virus On Network

My network of about 200 users seems to have been infected with some 
sort of virus generating lots of traffic and killing our router.

The traffic is a syn packet and they appear to be scanning our entire 
network which is how we found the unusual traffic, looked for pcs with 
destination addresss not valid in our subnet and they were scanning 
through them sequentualy.

The infected PCs all have dlll32.exe running in the background and when 
i stop it they restart. All of the PCs have the latest norton 9.0 and 
upto date DAts Adaware and SPybot dont find anything either.

Joe


ll have dlll32.exe running in the background and when i stop it they 
restart. All of the PCs have the latest norton 9.0 and upto date DAts 
Adaware and SPybot dont find anything either.

Joe
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Virus On Network, Joe Cervantes
Next by Date:  Re: Virus On Network, Kern, Tom
Previous by Thread:  RE: Virus On Network, Joe Cervantes
Next by Thread:  Re: Virus On Network, Kern, Tom
Indexes:  [Date] [Thread] [Top] [All Lists]