Analysis of a Malware Compromise - my first malware

  • Thread starter Thread starter Leythos
  • Start date Start date
L

Leythos

Well, in my 30 years of using computers, this is my first time getting
malware on a computer that I actually own/manage - while it's clear as
to why it happened, I thought it would be interesting to see how easy it
is when one follows almost-all of the basic network security
ideas/methods we preach.

===

Analysis of a Malware Compromise - Our first compromised computer in our
network in 30 years.

Overview of the compromised computer and network structure - On the
positive side: Our computers are setup behind an industrial firewall
appliance with restrictive filtering, they have anti-virus software that
is centrally managed and they include antivirus and anti-malware
features and are updated once every 4 hours. All computers are fully
patched (Microsoft) nightly, no questionable applications are installed
(file/music sharing or such), users use FireFox as their primary
browser. The compromised computer is NOT a member of the domain, but it
is on the same network as the domain. On the negative side: The
compromised computer is in a segment with the least protective firewall
rules and the users runs as a local administrator, this is by choice,
it's used to download and store patches, updates, new software, etc.

What happened: While using FireFox (updated and patched), user entered a
website address and spelled the address incorrectly. The browser was
immediately redirected to another website and the user noticed a "DOS"
shell open for about 2 seconds and close - this might have been missed,
but the computer in question has dual screens and window placement
didn't hide the DOS box. About 2 seconds later another DOS box opened
and then closed. The user closed FireFox in less than 10 seconds from
being redirected. In less than 10 additional seconds several additional
DOS boxes opened and closed quickly. The user recognized that the
computer had been compromised and immediately disconnected the network
cable to try and prevent the malware from spreading - total time from
compromise until disconnected from the network was less than 30 seconds.

Symptoms: In addition to the "DOS" boxes popping up, during this event
the Anti-Virus software, which was functioning and updated, did not
detect any sign of the compromise, it didn't alert us to any problem.
Within a one minute it was obvious that the computer was compromised, we
had a new task-bar items that "nagged" about malware being on the
computer and wanting to clean it - for a price?

Diagnosing and Cleaning the Compromise: From a quick look at the
registry, the HLKM section, there was a new entry in the RUN tree,
CALC.EXE~xxxxxx (where xxxx was a munge of letters). Running the Anti-
Virus scanner manually in quick scan didn't detect any memory resident
malware, but it did detect the CALC.exe issue, but it could not fully
remove it.

Since we keep updated copies of "Malware Bytes Anti-Malware" as well as
"Multi-AV" on this computer, we loaded MBAM and ran a Quick scan - it
detected 7 items, removed them, and we rebooted. Upon restart we could
still see signs of malware, so we ran a FULL scan using MBAM and also
ran a FULL scan using our Corporate Anti-Virus software - MBAM detected
another 7 or 8 malware, but we stopped MBAM about 20 minutes into the
scan (it normally takes about 40 minutes to run a full scan on this
computer), the AV program detected nothing. We removed the malware again
and rebooted. This time we didn't see any visible signs of the malware
on/from the windows desktop, but we did see registry entries that
reinstalled themselves after we deleted them - this time we ran a full
MBAM scan and let it complete, we rebooted and the malware, even at the
registry appeared to be gone. Our last change was to uninstall the
Corporate Anti-Virus product, connect back to the network, and download
and install Avira Antivirus, updates it and started a full scan - it
detected several non-active items, leftover's, and removed them. We also
ran scans with Multi-Av and found no items of concern.

What we've learned from this: We've learned that our anti-virus solution
is nowhere near as capable of protecting our systems/networks as we had
thought. We've learned that if we don't block access to COM, BAT, ZIP,
EXE, DLL, files at the firewall, for all computers, that we're at
serious risk from simple mistakes. We've learned that keeping a computer
fully patched, using a Non-MS Browser doesn't provide any significant
protection. In hind-sight, if we had just let MBAM run a full scan we
would have been malware free a lot sooner, but it was also an
experiment, so it's not an issue.

Additional Notes: We have been using Symantec Corporate Edition anti-
virus products for more than a decade and have never had a compromised
computer on any network we manage - not just because of Symantec, its
part of an overall methodology we implement that is comprised of
different layers of security. The new Avira Antivir product has proven
to be superior to our Symantec End Point Protection product (latest
version and fully patched) - we did a simple test with Avira FREE
edition installed, we purposely visited questionable websites trying to
compromised the computer again - it didn't take long, by the 10th site
the Avira product had alerted us to a malicious attempt and asked us if
we wanted to Accept, Deny, Quarantine the unknown file that one of the
sites was trying to download to the computer - we selected "Deny" and
appear to have been completely protected from the malware.

What can you do to protect your home/office computers? There are two
issues where, one is where your home/office has a real firewall
appliance, one that actually inspects the files you are
sending/receiving in email, while browsing the web, in FTP, and other
methods, the other issue is where you have a NAT Router that claims to
be a Firewall, but it has no ability to inspect the actual traffic and
has no ability to limit what type of files/content you can access on the
Internet.

In the case of having a REAL FIREWALL - block all COM, BAT, ZIP, EXE,
DLL, files from untrusted sites. Implement a web-content filter to block
access to specific categories of websites (you can select to block
Gambling, Pornographic, unclassified, as well as others) that you would
not need to visit.

In the case of a NAT Router - use one of the FREE open DNS sources that
permit you to block access to websites based on categories. Since you
won't be able to block actual content within websites, this free type of
blocking is one of your best options, but it's far from perfect - these
types of resources are created and maintained by volunteers.

In both cases, make sure that your computer is fully patched and that
you're using the best anti-virus solution that you can afford. When you
consider that it can take several hours to clean a computer of malware,
if you had to pay for that time, quality anti-virus software is actually
a cheap investment.
 
Leythos said:
Well, in my 30 years of using computers, this is my first time getting
malware on a computer that I actually own/manage - while it's clear as
to why it happened, I thought it would be interesting to see how easy it
is when one follows almost-all of the basic network security
ideas/methods we preach.

===

Analysis of a Malware Compromise - Our first compromised computer in our
network in 30 years.

Overview of the compromised computer and network structure - On the
positive side: Our computers are setup behind an industrial firewall
appliance with restrictive filtering, they have anti-virus software that
is centrally managed and they include antivirus and anti-malware
features and are updated once every 4 hours. All computers are fully
patched (Microsoft) nightly, no questionable applications are installed
(file/music sharing or such), users use FireFox as their primary
browser. The compromised computer is NOT a member of the domain, but it
is on the same network as the domain. On the negative side: The
compromised computer is in a segment with the least protective firewall
rules and the users runs as a local administrator, this is by choice,
it's used to download and store patches, updates, new software, etc.

Snipped.....


An educational post, Leythos. Thanks for taking the time to document
and describe the incident. Some of the readers here should be able to
learn something from it. (I've snipped it only in the interests of
brevity, not because there's any content I wouldn't hesitate to pass on
to others.)

My only question concerns the fact the the computer's user had local
administrative privileges. Judging from your stated use of the machine,
it doesn't seem to me that they had any real technical need for elevated
privileges. Do you think that the extent of the compromise, if not
prevented entirely, would have been mitigated had the users not been
administrators?


--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
 
An educational post, Leythos. Thanks for taking the time to document
and describe the incident. Some of the readers here should be able to
learn something from it. (I've snipped it only in the interests of
brevity, not because there's any content I wouldn't hesitate to pass on
to others.)

Thanks - I tried to word it so that everyone would understand and see
what went wrong.
My only question concerns the fact the the computer's user had local
administrative privileges. Judging from your stated use of the machine,
it doesn't seem to me that they had any real technical need for elevated
privileges. Do you think that the extent of the compromise, if not
prevented entirely, would have been mitigated had the users not been
administrators?

We do a lot of things on that system that would not work if we were
local user level accounts, that's why it's outside of the domain
structure.

I'm reasonably sure that if the accounts had been Local Users instead of
Local Administrators, that this would not have happened.
 
Back
Top