The first week of your new job is normally for finding your desk, getting email set up, finding the best place to grab coffee and snacks. We'll not for me!
What started Tuesday morning as simple virus outbreak on one of the networks we monitor after some initial IR turned into full domain pwnage :-(
The initial virus alert looked something like this:
Alert: Virus Found
Time: 1:34:59 AM
Source: Symantec AntiVirus Corporate Edition
A quick question for anyone reading is what kind of privileges are required to write to the system32 folder? The answer should be you first clue to the scope of the problem.
We jumped in on one of the boxes that came up with the virus alert to see what we could find.
A quick review of the task manager listed 6 or 7 iexplore.exe process running by a user that wasn't logged into the host. A quick net user "thatuser" /domain let us know that the user was a member of the domain admins group...oops. We did do a quick call to confirm that the real user hadn't logged into that box.
The iexplore.exe process was connected to an IP that resolved to Amsterdam pulling down a "banner8.gif and banner9.gif". Thus far we haven't located any copies of banner8.gif and banner9.gif on the network and the IP isn't serving them up right now (404). We've asked for FW logs to see if any hosts actually got a 200 for for the file(s).
I'll post what (most dean) came up with for analysis of 2.exe in a separate post.
Lastly, they had a Cisco CSA agent running (in test mode) on one of the hosts that was infected in test mode. The logs of the agent had an alert of psexec executing 2.exe with the domain admins user creds...oops. The good news (for the CSA deployment) was that it would have been blocked had CSA been in enforcement mode. Bad news was that it wasn't.
We also had the domain profile of the unfortunate user show up on all the infected boxes. I'm guessing its a result of the psexec command, but if anyone has any insight on that I'd appreciate a comment.
Any comments on the situation. At this point, what would you do?
More to follow...