Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Endpoint protected machine compromised CASE# 411-396-061

  • 1.  Endpoint protected machine compromised CASE# 411-396-061

    Posted Feb 16, 2010 07:35 AM
    We’ve identified a Trojan on a client machine XP SP3 that Endpoint 11.0.5002.333 did not detect. Following a report from a user who's personal online banking account was compromised with an unauthorized transaction, a full scan with Endpoint revealed no issue. Endpoint logs identified no threat. Using the free application Malwarebytes, a trojan was detected (details below). This is obviously a very serious security concern, as it would indicate that Endpoint is not providing the protection required.

    A Google search indicates that this is a 'known trojan' with identified behaviour. Why does Endpoint not detect this threat?

    Malwarebytes' Anti-Malware 1.44
    Database version: 3741
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    15/02/2010 16:42:37
    mbam-log-2010-02-15 (16-42-30).txt

    Scan type: Quick Scan
    Objects scanned: 162813
    Time elapsed: 14 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 1
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

    Folders Infected:
    C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

    Files Infected:
    C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
    C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.


  • 2.  RE: Endpoint protected machine compromised CASE# 411-396-061

    Posted Feb 16, 2010 07:42 AM

    Case# 411-396-061

    The concerned SEP department has been intimated regarding the issue and the case number. Someone would follow up with you as soon as possible.


  • 3.  RE: Endpoint protected machine compromised CASE# 411-396-061

    Posted Feb 16, 2010 07:49 AM

    What to do when a competitor's antivirus, adware scanner, or spyware scanner detects a threat that Symantec AntiVirus does not detect

    http://service1.symantec.com/support/ent-security.nsf/docid/2001101708255048?Open&seg=ent



  • 4.  RE: Endpoint protected machine compromised CASE# 411-396-061

    Posted Feb 16, 2010 08:29 AM
    Thanks for the link. All of the suggested solution points are well understood, but none apply to this issue. This appears to be an instance of Trojan-Spy.Win32.Zbot that is undetected by Endpoint.


  • 5.  RE: Endpoint protected machine compromised CASE# 411-396-061

    Posted Feb 16, 2010 09:31 AM
    And you can find a million threads on this forum that says malwarebytes or some other scanner picked up something that SEP did not.
    nothing new...


  • 6.  RE: Endpoint protected machine compromised CASE# 411-396-061

    Posted Feb 16, 2010 12:34 PM

    In this instance, the trojan was used by an attacker to steal the user's online banking login information, and her bank account was subsequently cleared of funds. SEP did not identify or log any risk or threat during this incident, The third-party application identified and removed the offending trojan. Our current position is that we are wide open to further security compromise with SEP until a resolution is identified.



  • 7.  RE: Endpoint protected machine compromised CASE# 411-396-061

    Posted Feb 16, 2010 05:17 PM
    They will fill an entire thread with reasons why their product failed and an-out-of-the-box free AV-AS found and cleaned it.  They will tell you how effective it is with all the other kinds of threats.  Just not "scareware" or RogueAV-malware.  And bjohn is right - the forum is full of threads complaining of this same issue.  The upshot is you're gonna need a third party scanner like Malwarebytes or Hitman to rid you of Scareware and it's residual code.  I had high hopes for SEP - finally the AV community was going to address the browser-delivered malware epidemic.  I guess not...  This is what they are saying about not detecting what MBAM does:
    • A repair tool-type product that runs on a single machine and is not centrally monitored or managed may be far more aggressive - thus detecting some threats that SAV or even SEP may not - but often at the cost of a much higher false positive detection rate, sometimes as high as 40%

    Has anyone ever had MBAM pull a false-positive?


  • 8.  RE: Endpoint protected machine compromised CASE# 411-396-061

    Posted Feb 16, 2010 05:26 PM
    Keeping SEP aside. Yes there a lot of False Positives from MBAM that I have personally found. Even look at their detections logs.
    If they say there are 10 infection 8 would be some left behind registry entries.That it shouldn't have flagged at the first place but it does just to make the count more. But yes since it is a freeware it has to do that for people to buy it.


  • 9.  RE: Endpoint protected machine compromised CASE# 411-396-061

    Posted Feb 16, 2010 09:44 PM
    I think I'd rather the odd false positive detection to funds being withdrawn from my bank account.


  • 10.  RE: Endpoint protected machine compromised CASE# 411-396-061

    Posted Feb 26, 2010 03:08 PM
    I too have had a customer who almost had funds stolen from their account if it were not for an alert bank employee. We are a Symantec reseller and personally I am tired of SEP not doing it's job, and I do not want to hear about how Malwarebytes is more aggressive, or false positives, bla, bla, bla. When you do an on demand scan, scanning all the files and your machine comes back clean, meanwhile you are infected with a KNOWN BUG! That is total BS. Most people are moving to Trend, one of my customers is running that now, we will see how it goes. We just cannot spend any more time cleaning up crapware.


  • 11.  RE: Endpoint protected machine compromised CASE# 411-396-061

    Posted Feb 26, 2010 04:46 PM
    @mass 2

    You could use application device control to block the virus company wide. I'd give it a shot in a test enviroment and see how that works.

    Mike



  • 12.  RE: Endpoint protected machine compromised CASE# 411-396-061

    Posted Feb 26, 2010 04:53 PM
     If somebody has written a threat with that intelligence then somebody has to get hit...Unlucky that it was a Symantec User but it can happen with any Antivirus.
    If just Antivirus would have been answer for all security concerns then banking website would check if you had a antivirus rather than having high encryption and online keyboard and what not..