Analysis of a Malware Compromise - my first malware

Discussion in 'Windows XP Security' started by Leythos, Nov 19, 2009.

  1. Leythos

    Leythos Guest

    Well, in my 30 years of using computers, this is my first time getting
    malware on a computer that I actually own/manage - while it's clear as
    to why it happened, I thought it would be interesting to see how easy it
    is when one follows almost-all of the basic network security
    ideas/methods we preach.

    ===

    Analysis of a Malware Compromise - Our first compromised computer in our
    network in 30 years.

    Overview of the compromised computer and network structure - On the
    positive side: Our computers are setup behind an industrial firewall
    appliance with restrictive filtering, they have anti-virus software that
    is centrally managed and they include antivirus and anti-malware
    features and are updated once every 4 hours. All computers are fully
    patched (Microsoft) nightly, no questionable applications are installed
    (file/music sharing or such), users use FireFox as their primary
    browser. The compromised computer is NOT a member of the domain, but it
    is on the same network as the domain. On the negative side: The
    compromised computer is in a segment with the least protective firewall
    rules and the users runs as a local administrator, this is by choice,
    it's used to download and store patches, updates, new software, etc.

    What happened: While using FireFox (updated and patched), user entered a
    website address and spelled the address incorrectly. The browser was
    immediately redirected to another website and the user noticed a "DOS"
    shell open for about 2 seconds and close - this might have been missed,
    but the computer in question has dual screens and window placement
    didn't hide the DOS box. About 2 seconds later another DOS box opened
    and then closed. The user closed FireFox in less than 10 seconds from
    being redirected. In less than 10 additional seconds several additional
    DOS boxes opened and closed quickly. The user recognized that the
    computer had been compromised and immediately disconnected the network
    cable to try and prevent the malware from spreading - total time from
    compromise until disconnected from the network was less than 30 seconds.

    Symptoms: In addition to the "DOS" boxes popping up, during this event
    the Anti-Virus software, which was functioning and updated, did not
    detect any sign of the compromise, it didn't alert us to any problem.
    Within a one minute it was obvious that the computer was compromised, we
    had a new task-bar items that "nagged" about malware being on the
    computer and wanting to clean it - for a price?

    Diagnosing and Cleaning the Compromise: From a quick look at the
    registry, the HLKM section, there was a new entry in the RUN tree,
    CALC.EXE~xxxxxx (where xxxx was a munge of letters). Running the Anti-
    Virus scanner manually in quick scan didn't detect any memory resident
    malware, but it did detect the CALC.exe issue, but it could not fully
    remove it.

    Since we keep updated copies of "Malware Bytes Anti-Malware" as well as
    "Multi-AV" on this computer, we loaded MBAM and ran a Quick scan - it
    detected 7 items, removed them, and we rebooted. Upon restart we could
    still see signs of malware, so we ran a FULL scan using MBAM and also
    ran a FULL scan using our Corporate Anti-Virus software - MBAM detected
    another 7 or 8 malware, but we stopped MBAM about 20 minutes into the
    scan (it normally takes about 40 minutes to run a full scan on this
    computer), the AV program detected nothing. We removed the malware again
    and rebooted. This time we didn't see any visible signs of the malware
    on/from the windows desktop, but we did see registry entries that
    reinstalled themselves after we deleted them - this time we ran a full
    MBAM scan and let it complete, we rebooted and the malware, even at the
    registry appeared to be gone. Our last change was to uninstall the
    Corporate Anti-Virus product, connect back to the network, and download
    and install Avira Antivirus, updates it and started a full scan - it
    detected several non-active items, leftover's, and removed them. We also
    ran scans with Multi-Av and found no items of concern.

    What we've learned from this: We've learned that our anti-virus solution
    is nowhere near as capable of protecting our systems/networks as we had
    thought. We've learned that if we don't block access to COM, BAT, ZIP,
    EXE, DLL, files at the firewall, for all computers, that we're at
    serious risk from simple mistakes. We've learned that keeping a computer
    fully patched, using a Non-MS Browser doesn't provide any significant
    protection. In hind-sight, if we had just let MBAM run a full scan we
    would have been malware free a lot sooner, but it was also an
    experiment, so it's not an issue.

    Additional Notes: We have been using Symantec Corporate Edition anti-
    virus products for more than a decade and have never had a compromised
    computer on any network we manage - not just because of Symantec, its
    part of an overall methodology we implement that is comprised of
    different layers of security. The new Avira Antivir product has proven
    to be superior to our Symantec End Point Protection product (latest
    version and fully patched) - we did a simple test with Avira FREE
    edition installed, we purposely visited questionable websites trying to
    compromised the computer again - it didn't take long, by the 10th site
    the Avira product had alerted us to a malicious attempt and asked us if
    we wanted to Accept, Deny, Quarantine the unknown file that one of the
    sites was trying to download to the computer - we selected "Deny" and
    appear to have been completely protected from the malware.

    What can you do to protect your home/office computers? There are two
    issues where, one is where your home/office has a real firewall
    appliance, one that actually inspects the files you are
    sending/receiving in email, while browsing the web, in FTP, and other
    methods, the other issue is where you have a NAT Router that claims to
    be a Firewall, but it has no ability to inspect the actual traffic and
    has no ability to limit what type of files/content you can access on the
    Internet.

    In the case of having a REAL FIREWALL - block all COM, BAT, ZIP, EXE,
    DLL, files from untrusted sites. Implement a web-content filter to block
    access to specific categories of websites (you can select to block
    Gambling, Pornographic, unclassified, as well as others) that you would
    not need to visit.

    In the case of a NAT Router - use one of the FREE open DNS sources that
    permit you to block access to websites based on categories. Since you
    won't be able to block actual content within websites, this free type of
    blocking is one of your best options, but it's far from perfect - these
    types of resources are created and maintained by volunteers.

    In both cases, make sure that your computer is fully patched and that
    you're using the best anti-virus solution that you can afford. When you
    consider that it can take several hours to clean a computer of malware,
    if you had to pay for that time, quality anti-virus software is actually
    a cheap investment.


    --
    You can't trust your best friends, your five senses, only the little
    voice inside you that most civilians don't even hear -- Listen to that.
    Trust yourself.
    (remove 999 for proper email address)
     
    Leythos, Nov 19, 2009
    #1
    1. Advertisements

  2. Leythos wrote:
    > Well, in my 30 years of using computers, this is my first time getting
    > malware on a computer that I actually own/manage - while it's clear as
    > to why it happened, I thought it would be interesting to see how easy it
    > is when one follows almost-all of the basic network security
    > ideas/methods we preach.
    >
    > ===
    >
    > Analysis of a Malware Compromise - Our first compromised computer in our
    > network in 30 years.
    >
    > Overview of the compromised computer and network structure - On the
    > positive side: Our computers are setup behind an industrial firewall
    > appliance with restrictive filtering, they have anti-virus software that
    > is centrally managed and they include antivirus and anti-malware
    > features and are updated once every 4 hours. All computers are fully
    > patched (Microsoft) nightly, no questionable applications are installed
    > (file/music sharing or such), users use FireFox as their primary
    > browser. The compromised computer is NOT a member of the domain, but it
    > is on the same network as the domain. On the negative side: The
    > compromised computer is in a segment with the least protective firewall
    > rules and the users runs as a local administrator, this is by choice,
    > it's used to download and store patches, updates, new software, etc.
    >


    Snipped.....


    An educational post, Leythos. Thanks for taking the time to document
    and describe the incident. Some of the readers here should be able to
    learn something from it. (I've snipped it only in the interests of
    brevity, not because there's any content I wouldn't hesitate to pass on
    to others.)

    My only question concerns the fact the the computer's user had local
    administrative privileges. Judging from your stated use of the machine,
    it doesn't seem to me that they had any real technical need for elevated
    privileges. Do you think that the extent of the compromise, if not
    prevented entirely, would have been mitigated had the users not been
    administrators?


    --

    Bruce Chambers

    Help us help you:
    http://www.catb.org/~esr/faqs/smart-questions.html

    http://support.microsoft.com/default.aspx/kb/555375

    They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety. ~Benjamin Franklin

    Many people would rather die than think; in fact, most do. ~Bertrand Russell

    The philosopher has never killed any priests, whereas the priest has
    killed a great many philosophers.
    ~ Denis Diderot
     
    Bruce Chambers, Nov 20, 2009
    #2
    1. Advertisements

  3. Leythos

    Leythos Guest

    In article <OfK#>,
    3t says...
    > An educational post, Leythos. Thanks for taking the time to document
    > and describe the incident. Some of the readers here should be able to
    > learn something from it. (I've snipped it only in the interests of
    > brevity, not because there's any content I wouldn't hesitate to pass on
    > to others.)


    Thanks - I tried to word it so that everyone would understand and see
    what went wrong.

    > My only question concerns the fact the the computer's user had local
    > administrative privileges. Judging from your stated use of the machine,
    > it doesn't seem to me that they had any real technical need for elevated
    > privileges. Do you think that the extent of the compromise, if not
    > prevented entirely, would have been mitigated had the users not been
    > administrators?


    We do a lot of things on that system that would not work if we were
    local user level accounts, that's why it's outside of the domain
    structure.

    I'm reasonably sure that if the accounts had been Local Users instead of
    Local Administrators, that this would not have happened.



    --
    You can't trust your best friends, your five senses, only the little
    voice inside you that most civilians don't even hear -- Listen to that.
    Trust yourself.
    (remove 999 for proper email address)
     
    Leythos, Nov 20, 2009
    #3
  4. Leythos

    Anteaus Guest

    Stripmyrights/dropmyrights are good alternatives to limited user working, for
    browsing.

    http://www.sysint.no/nedlasting/StripMyRights.htm

    In fact they can be more secure as with suitable permissions it's possible
    to prevent the browser from writing to userprofile folders.

    "Leythos" wrote:

    > In article <OfK#>,
    > 3t says...
    > > An educational post, Leythos. Thanks for taking the time to document
    > > and describe the incident. Some of the readers here should be able to
    > > learn something from it. (I've snipped it only in the interests of
    > > brevity, not because there's any content I wouldn't hesitate to pass on
    > > to others.)

    >
    > Thanks - I tried to word it so that everyone would understand and see
    > what went wrong.
    >
    > > My only question concerns the fact the the computer's user had local
    > > administrative privileges. Judging from your stated use of the machine,
    > > it doesn't seem to me that they had any real technical need for elevated
    > > privileges. Do you think that the extent of the compromise, if not
    > > prevented entirely, would have been mitigated had the users not been
    > > administrators?

    >
    > We do a lot of things on that system that would not work if we were
    > local user level accounts, that's why it's outside of the domain
    > structure.
    >
    > I'm reasonably sure that if the accounts had been Local Users instead of
    > Local Administrators, that this would not have happened.
    >
    >
    >
    > --
    > You can't trust your best friends, your five senses, only the little
    > voice inside you that most civilians don't even hear -- Listen to that.
    > Trust yourself.
    > (remove 999 for proper email address)
    > .
    >
     
    Anteaus, Nov 22, 2009
    #4
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David Dougherty
    Replies:
    0
    Views:
    317
    David Dougherty
    Aug 13, 2003
  2. Chris

    Security compromise

    Chris, Sep 9, 2003, in forum: Windows XP Security
    Replies:
    1
    Views:
    194
    Secret Identity
    Sep 11, 2003
  3. Rubin Farr
    Replies:
    1
    Views:
    193
    Roger Abell
    Nov 6, 2003
  4. arzan

    Security Configuration and Analysis

    arzan, Dec 15, 2003, in forum: Windows XP Security
    Replies:
    0
    Views:
    205
    arzan
    Dec 15, 2003
  5. Guest

    Update SP1 first or install SP2 first?

    Guest, Feb 24, 2006, in forum: Windows XP Security
    Replies:
    2
    Views:
    169
    Guest
    Feb 24, 2006
Loading...

Share This Page