PC Review


Reply
Thread Tools Rate Thread

Analysis of a Malware Compromise - my first malware

 
 
Leythos
Guest
Posts: n/a
 
      19th Nov 2009
Well, in my 30 years of using computers, this is my first time getting
malware on a computer that I actually own/manage - while it's clear as
to why it happened, I thought it would be interesting to see how easy it
is when one follows almost-all of the basic network security
ideas/methods we preach.

===

Analysis of a Malware Compromise - Our first compromised computer in our
network in 30 years.

Overview of the compromised computer and network structure - On the
positive side: Our computers are setup behind an industrial firewall
appliance with restrictive filtering, they have anti-virus software that
is centrally managed and they include antivirus and anti-malware
features and are updated once every 4 hours. All computers are fully
patched (Microsoft) nightly, no questionable applications are installed
(file/music sharing or such), users use FireFox as their primary
browser. The compromised computer is NOT a member of the domain, but it
is on the same network as the domain. On the negative side: The
compromised computer is in a segment with the least protective firewall
rules and the users runs as a local administrator, this is by choice,
it's used to download and store patches, updates, new software, etc.

What happened: While using FireFox (updated and patched), user entered a
website address and spelled the address incorrectly. The browser was
immediately redirected to another website and the user noticed a "DOS"
shell open for about 2 seconds and close - this might have been missed,
but the computer in question has dual screens and window placement
didn't hide the DOS box. About 2 seconds later another DOS box opened
and then closed. The user closed FireFox in less than 10 seconds from
being redirected. In less than 10 additional seconds several additional
DOS boxes opened and closed quickly. The user recognized that the
computer had been compromised and immediately disconnected the network
cable to try and prevent the malware from spreading - total time from
compromise until disconnected from the network was less than 30 seconds.

Symptoms: In addition to the "DOS" boxes popping up, during this event
the Anti-Virus software, which was functioning and updated, did not
detect any sign of the compromise, it didn't alert us to any problem.
Within a one minute it was obvious that the computer was compromised, we
had a new task-bar items that "nagged" about malware being on the
computer and wanting to clean it - for a price?

Diagnosing and Cleaning the Compromise: From a quick look at the
registry, the HLKM section, there was a new entry in the RUN tree,
CALC.EXE~xxxxxx (where xxxx was a munge of letters). Running the Anti-
Virus scanner manually in quick scan didn't detect any memory resident
malware, but it did detect the CALC.exe issue, but it could not fully
remove it.

Since we keep updated copies of "Malware Bytes Anti-Malware" as well as
"Multi-AV" on this computer, we loaded MBAM and ran a Quick scan - it
detected 7 items, removed them, and we rebooted. Upon restart we could
still see signs of malware, so we ran a FULL scan using MBAM and also
ran a FULL scan using our Corporate Anti-Virus software - MBAM detected
another 7 or 8 malware, but we stopped MBAM about 20 minutes into the
scan (it normally takes about 40 minutes to run a full scan on this
computer), the AV program detected nothing. We removed the malware again
and rebooted. This time we didn't see any visible signs of the malware
on/from the windows desktop, but we did see registry entries that
reinstalled themselves after we deleted them - this time we ran a full
MBAM scan and let it complete, we rebooted and the malware, even at the
registry appeared to be gone. Our last change was to uninstall the
Corporate Anti-Virus product, connect back to the network, and download
and install Avira Antivirus, updates it and started a full scan - it
detected several non-active items, leftover's, and removed them. We also
ran scans with Multi-Av and found no items of concern.

What we've learned from this: We've learned that our anti-virus solution
is nowhere near as capable of protecting our systems/networks as we had
thought. We've learned that if we don't block access to COM, BAT, ZIP,
EXE, DLL, files at the firewall, for all computers, that we're at
serious risk from simple mistakes. We've learned that keeping a computer
fully patched, using a Non-MS Browser doesn't provide any significant
protection. In hind-sight, if we had just let MBAM run a full scan we
would have been malware free a lot sooner, but it was also an
experiment, so it's not an issue.

Additional Notes: We have been using Symantec Corporate Edition anti-
virus products for more than a decade and have never had a compromised
computer on any network we manage - not just because of Symantec, its
part of an overall methodology we implement that is comprised of
different layers of security. The new Avira Antivir product has proven
to be superior to our Symantec End Point Protection product (latest
version and fully patched) - we did a simple test with Avira FREE
edition installed, we purposely visited questionable websites trying to
compromised the computer again - it didn't take long, by the 10th site
the Avira product had alerted us to a malicious attempt and asked us if
we wanted to Accept, Deny, Quarantine the unknown file that one of the
sites was trying to download to the computer - we selected "Deny" and
appear to have been completely protected from the malware.

What can you do to protect your home/office computers? There are two
issues where, one is where your home/office has a real firewall
appliance, one that actually inspects the files you are
sending/receiving in email, while browsing the web, in FTP, and other
methods, the other issue is where you have a NAT Router that claims to
be a Firewall, but it has no ability to inspect the actual traffic and
has no ability to limit what type of files/content you can access on the
Internet.

In the case of having a REAL FIREWALL - block all COM, BAT, ZIP, EXE,
DLL, files from untrusted sites. Implement a web-content filter to block
access to specific categories of websites (you can select to block
Gambling, Pornographic, unclassified, as well as others) that you would
not need to visit.

In the case of a NAT Router - use one of the FREE open DNS sources that
permit you to block access to websites based on categories. Since you
won't be able to block actual content within websites, this free type of
blocking is one of your best options, but it's far from perfect - these
types of resources are created and maintained by volunteers.

In both cases, make sure that your computer is fully patched and that
you're using the best anti-virus solution that you can afford. When you
consider that it can take several hours to clean a computer of malware,
if you had to pay for that time, quality anti-virus software is actually
a cheap investment.


--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(E-Mail Removed) (remove 999 for proper email address)
 
Reply With Quote
 
 
 
 
Bruce Chambers
Guest
Posts: n/a
 
      20th Nov 2009

Leythos wrote:
> Well, in my 30 years of using computers, this is my first time getting
> malware on a computer that I actually own/manage - while it's clear as
> to why it happened, I thought it would be interesting to see how easy it
> is when one follows almost-all of the basic network security
> ideas/methods we preach.
>
> ===
>
> Analysis of a Malware Compromise - Our first compromised computer in our
> network in 30 years.
>
> Overview of the compromised computer and network structure - On the
> positive side: Our computers are setup behind an industrial firewall
> appliance with restrictive filtering, they have anti-virus software that
> is centrally managed and they include antivirus and anti-malware
> features and are updated once every 4 hours. All computers are fully
> patched (Microsoft) nightly, no questionable applications are installed
> (file/music sharing or such), users use FireFox as their primary
> browser. The compromised computer is NOT a member of the domain, but it
> is on the same network as the domain. On the negative side: The
> compromised computer is in a segment with the least protective firewall
> rules and the users runs as a local administrator, this is by choice,
> it's used to download and store patches, updates, new software, etc.
>


Snipped.....


An educational post, Leythos. Thanks for taking the time to document
and describe the incident. Some of the readers here should be able to
learn something from it. (I've snipped it only in the interests of
brevity, not because there's any content I wouldn't hesitate to pass on
to others.)

My only question concerns the fact the the computer's user had local
administrative privileges. Judging from your stated use of the machine,
it doesn't seem to me that they had any real technical need for elevated
privileges. Do you think that the extent of the compromise, if not
prevented entirely, would have been mitigated had the users not been
administrators?


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
 
Reply With Quote
 
 
 
 
Leythos
Guest
Posts: n/a
 
      20th Nov 2009
In article <OfK#(E-Mail Removed)>,
(E-Mail Removed)3t says...
> An educational post, Leythos. Thanks for taking the time to document
> and describe the incident. Some of the readers here should be able to
> learn something from it. (I've snipped it only in the interests of
> brevity, not because there's any content I wouldn't hesitate to pass on
> to others.)


Thanks - I tried to word it so that everyone would understand and see
what went wrong.

> My only question concerns the fact the the computer's user had local
> administrative privileges. Judging from your stated use of the machine,
> it doesn't seem to me that they had any real technical need for elevated
> privileges. Do you think that the extent of the compromise, if not
> prevented entirely, would have been mitigated had the users not been
> administrators?


We do a lot of things on that system that would not work if we were
local user level accounts, that's why it's outside of the domain
structure.

I'm reasonably sure that if the accounts had been Local Users instead of
Local Administrators, that this would not have happened.



--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(E-Mail Removed) (remove 999 for proper email address)
 
Reply With Quote
 
Anteaus
Guest
Posts: n/a
 
      22nd Nov 2009
Stripmyrights/dropmyrights are good alternatives to limited user working, for
browsing.

http://www.sysint.no/nedlasting/StripMyRights.htm

In fact they can be more secure as with suitable permissions it's possible
to prevent the browser from writing to userprofile folders.

"Leythos" wrote:

> In article <OfK#(E-Mail Removed)>,
> (E-Mail Removed)3t says...
> > An educational post, Leythos. Thanks for taking the time to document
> > and describe the incident. Some of the readers here should be able to
> > learn something from it. (I've snipped it only in the interests of
> > brevity, not because there's any content I wouldn't hesitate to pass on
> > to others.)

>
> Thanks - I tried to word it so that everyone would understand and see
> what went wrong.
>
> > My only question concerns the fact the the computer's user had local
> > administrative privileges. Judging from your stated use of the machine,
> > it doesn't seem to me that they had any real technical need for elevated
> > privileges. Do you think that the extent of the compromise, if not
> > prevented entirely, would have been mitigated had the users not been
> > administrators?

>
> We do a lot of things on that system that would not work if we were
> local user level accounts, that's why it's outside of the domain
> structure.
>
> I'm reasonably sure that if the accounts had been Local Users instead of
> Local Administrators, that this would not have happened.
>
>
>
> --
> You can't trust your best friends, your five senses, only the little
> voice inside you that most civilians don't even hear -- Listen to that.
> Trust yourself.
> (E-Mail Removed) (remove 999 for proper email address)
> .
>

 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OT: Compromise transposition keyboard skearney@accessbee.com Windows XP Performance 0 13th Apr 2005 03:06 AM
possible attempt to compromise security PeterM Windows XP Networking 0 9th Jul 2004 10:30 PM
Windows XP Security Patch: Unchecked Buffer in UPnP Can Lead to System Compromise...... Flossie Windows XP Help 1 6th Mar 2004 09:33 PM
Security compromise Chris Windows XP Security 1 11th Sep 2003 10:30 AM
VPN/Possible Security Compromise Mike Holley Windows XP General 2 30th Jul 2003 03:45 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 05:17 PM.