Saturday, October 18, 2008

From Virus Alert to Pwnage Part 1


The first week of your new job is normally for finding your desk, getting email set up, finding the best place to grab coffee and snacks. We'll not for me!

What started Tuesday morning as simple virus outbreak on one of the networks we monitor after some initial IR turned into full domain pwnage :-(

The initial virus alert looked something like this:

Alert: Virus Found
Computer:
Date:
Time: 1:34:59 AM
Severity: Critical
Source: Symantec AntiVirus Corporate Edition
File Path:C:\WINDOWS\system32\2.exe
User:
Virus Name:Downloader

A quick question for anyone reading is what kind of privileges are required to write to the system32 folder? The answer should be you first clue to the scope of the problem.

We jumped in on one of the boxes that came up with the virus alert to see what we could find.

A quick review of the task manager listed 6 or 7 iexplore.exe process running by a user that wasn't logged into the host. A quick net user "thatuser" /domain let us know that the user was a member of the domain admins group...oops. We did do a quick call to confirm that the real user hadn't logged into that box.

The iexplore.exe process was connected to an IP that resolved to Amsterdam pulling down a "banner8.gif and banner9.gif". Thus far we haven't located any copies of banner8.gif and banner9.gif on the network and the IP isn't serving them up right now (404). We've asked for FW logs to see if any hosts actually got a 200 for for the file(s).

I'll post what (most dean) came up with for analysis of 2.exe in a separate post.

Lastly, they had a Cisco CSA agent running (in test mode) on one of the hosts that was infected in test mode. The logs of the agent had an alert of psexec executing 2.exe with the domain admins user creds...oops. The good news (for the CSA deployment) was that it would have been blocked had CSA been in enforcement mode. Bad news was that it wasn't.

We also had the domain profile of the unfortunate user show up on all the infected boxes. I'm guessing its a result of the psexec command, but if anyone has any insight on that I'd appreciate a comment.

Any comments on the situation. At this point, what would you do?

More to follow...
CG

4 comments:

davehull said...

Ouch! Fun first week though. As for what to do next, assume you know what to do next and you may surprise yourself. You've got to contain it first, either through network isolation or isolating infected machines.

After containment, recover. Of course the only sure way is to wipe and reinstall.

Don't forget to monitor for reinfection, do your lessons learned, etc. Running as admin is like running with scissors.

Good luck man.

Anonymous said...

Hi would like to get a copy so I can please pull it apart and have alook inside will happly provide my results. Can be contacted at wrono32@gmail.com

Thanks,

wrono.

CG said...

@dp thanks for the comment

@wrono i sent you an email with a link to the file

-CG

Anonymous said...

Where else could you possibly get this kind of exposure to the technologies and problem solving experience needed to fix the situation?! ;)

Not fun but moving forward should allow a bunch of new fun stuff to get implemented.