Endpoint Protection

 View Only
  • 1.  Backdoor.Trojan/Trojan.Clampi and Trojan.Dropper thread at Norton's forum

    Posted Mar 09, 2009 04:04 PM

    Looking for a thread here that pertains to this thread at the Norton Forum:

    http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=36525&view=by_date_ascending&page=1

    Also wondering if there is a solution to get rid of the virus that is discussed in the thread link above. Our Enterprise support is saying we are clean but we are anything but. The only discussion I have found on the web is in the link above, and the only person on earth that seems to know anything about it is a user SecurityPro in said link above.

    If someone can direct me to the Enterprise forum post on this, that would be great because every search I have done for it comes with zero results.

    "If you have nothing nice to say, don't say anything at all."

    The new format for these forums is....

    ...

    ...                                                                                                       



  • 2.  RE: Backdoor.Trojan/Trojan.Clampi and Trojan.Dropper thread at Norton's forum

    Posted Mar 09, 2009 06:02 PM

    How many machines do you have on your network?

    It seems this is a nasty bug, with a capability of reproducing itself, relatively quickly and infecting networks hard and fast.  I followed the thread you mentionned above and other than as stated SecPro there does not seem to be much info on this bug. 

    Andyb7274 claims to have a .bat that will kill the thing, have you tried that?

    * * * * * * *

    For a large scale infection like this, you are limited in what you can do to "cure it".  Honestly, if no specific anti-virus can get to it, you will have to go about it the old fashionned way, starting with your domain controllers/servers.  Everything that has an OS/Service running must be shut down.  I mean every machine, mission critical, mail, file server, everything shut down.  You have remote sites?  Break the connections, shut down the VPNs or routers to the remote sites... 

    * * * * * * * *

    Once this is done, identify and clean the threat.  Find the registry values and Exe/DLLs that are running a much on the system and remove them.  Once your machine is clean...  Shut it down.  You don't want it getting re-infected, move on to the next machine.  Rinse and Repeat...  1 machine on at a time.  1 will re-infect the others from the behaviour described in the other posts.  Once this is done and you are certain the infection has been removed from your network, think about the remote sites.  You can try to synchronize doing them all at the same time, if applicable, if not, do not restore the link until you are certain the other side(s) are clean as well. 

    Once everything is cleaned and working, startup your AV servers.  Update them to the latest and scan them again.  Next most likely culprit- mail servers.  Any chance of compromise, scan and make sure they are still clean.  and work your way from there.  Once you are sure the machine is clean, remove/detach the network cable from the machine, ensure no interaction with any other machine, except the AV servers to push updates.  Once you are certain everything is clean, re-attach network cables and "cross-fingers".  The next problem is figuging out where the initial infection came from...  this you may never know.  

    If you don't already, now is a good time to implement a "no personal equipment on the network policy".  With the time and effort you (and the staff if applicable) put in, it should not be hard to get approved.

    I hope someone, somewhere has a better solution, but until now, I don't see anything either. 



  • 3.  RE: Backdoor.Trojan/Trojan.Clampi and Trojan.Dropper thread at Norton's forum

    Posted Mar 10, 2009 08:07 AM

    I have done search after search in this new forum and I cannot find a thread that pertains to the virus mentioned in the link I posted.

    So far, Enterprise supports solution to this virus copied from the email we got from them:

     

    As far as the threat goes everything we are seeing shows that Symantec is protecting this machine. The detections are showing as Auto-Protect detections and removing the code in the files. The files are being created as 0 Kb files though we are still blocking the malicious part of it.
     
    At this time I would suggest running a full scan on the machine, though we believe the machine to be clean.
     

    Of course, this has been tried dozens of times, only to see the virus come right back. It is NOT blocking the malicious part of it either, but WE have. We have tried it in safe mode as well and it solved nothing. It is catching one file called uninstall.exe, but that file comes right back. The scan does not find files called logon.exe, rundll.exe, helper.exe, sound.exe or others that are placed in the users profile at the root of the application data folder. It is not deleting the psexesvc.exe file as well, which seems to launch all this. We have blocked this file from running via Endpoint Protection, and we have also disabled the service psexec. The combo of those 2 have saved our network, and is how WE ARE STOPPING THE MALICIOUS SIDE OF THIS VIRUS, not Symantec. We are now just awaiting a real solution from Symantec on a complete fix.

     
    Good luck to all with this virus, if you have any other information on it, please post it here.
     
    Peace,
     
    Bry


  • 4.  RE: Backdoor.Trojan/Trojan.Clampi and Trojan.Dropper thread at Norton's forum

    Posted Mar 10, 2009 01:57 PM

      I have also had Clampi infected machines that SEP has not effectively cleaned.  If a dedicated cleaning tool isn't going to be produced than we need a fix for SEP to get the job done.  Re-imaging everybody isn't always a viable solution.



  • 5.  RE: Backdoor.Trojan/Trojan.Clampi and Trojan.Dropper thread at Norton's forum

    Posted Mar 10, 2009 05:29 PM

    Have you guys had  look at this article dated in 20080 from Synamtec response teams?

    Trojan.Clampi

    http://www.symantec.com/security_response/writeup.jsp?docid=2008-011616-5036-99&tabid=3

    Trojan.Dropper

    http://www.symantec.com/security_response/writeup.jsp?docid=2002-082718-3007-99&tabid=3

    Backdoor.Trojan

    If you "google" Backdoor.Trojan Removal Tool, you should receive some information on how to remove this one as well.

    Unfortunately, it looks like a lot of manual work to get rid of these buggers.  I also re-iterate my original point, if you need to clean one by one, make sure all machines on the network are off or off the network when perfroming these actions.  If not, you risk re-infecting faster than removing...

     



  • 6.  RE: Backdoor.Trojan/Trojan.Clampi and Trojan.Dropper thread at Norton's forum

    Posted Mar 11, 2009 07:49 AM

    yep, saw those and we tried cleaning both. Didn't work. This is some new variant of something.