Video Screencast Help

[SID: 27071] System infected: backdoor houdini activity detected

Created: 29 Sep 2013 | 25 comments
Low's picture

A few PC keep pop up this message this morning. Full scan shows no virus found. What's going on?

Operating Systems:

Comments 25 CommentsJump to latest comment

James007's picture

You can scan your system Symantec Power Eraser and submit the submiision file

Symantec Power Eraser using Symantec Help (SymHelp) Tool

https://www-secure.symantec.com/connect/articles/symantec-power-eraser-using-symantec-help-symhelp-tool

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team

https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

Mick2009's picture

Hi Low,

If the computers are showing the pop-up, the most likely thing is that they have blocked an attack coming in from another computer.

Another possibility is that removable media (USB drives, etc) that were plugged into those computers are infected with a threat that opens up a backdoor.  I recommend scanning them!

VBS.Dunihi
http://www.symantec.com/security_response/writeup.jsp?docid=2013-091222-3652-99

This would also be a good time to ensure that all patches are up-to-date, all passwords are strong and changed freqently, etc.  Here are some good receommendations:

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Hope this helps!!

Mick

With thanks and best regards,

Mick

.Brian's picture

Check the NTP logs, does it show the source IP attacker?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

I agree with above comments - 

Backdoor Trojans allow the remote attackers to perform various malicious activities on the compromised machine.

System Infected: Backdoor Houdini Activity

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27071

Take a close look at the Traffic logs, where you see these alerts...if the IP address(es) are external, there's not much you can do...the nature of the internet is to allow unsolicited attempts for communication.

If the communications are coming from external sources, you can certainly block those IP addresses at the perimeter firewall, and other things such as leveraging intrusion prevention (assuming you've got that, or it's part of the perimeter firewall).

If the attacks are coming from WITHIN your network, you'll need to do some seluthing to get to the bottom of what's actually attacking and deal with it.  My gut, however, leads me to believe that your logs show external IP addresses.

Script kiddies out there are constantly running programs that will try to use exploits on machines...odds are low that you're specifically being targeted.

If the IP addresses in the logs are external to your network, the only way you can completely block the alerts is to configure your perimeter firewall to not allow incoming external traffic to this machine...which, I suspect, would completely negate the usefulness of the server itself.

Also, you can Run the SymHelp Utility to check if any suspicious files are found and if there are, submit the same to Symantec Security Response Team.

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

pandher's picture

even we are facing the same issue, user is getting it again and again. And the IP it is showing is our Bluecoat proxy ip. How do we find out what is the actual cause. No other users are facing it. And the symantec is completely updated 12.1.2 version and full scan shows nothing:

 

Risk Detected Event Time: 10/03/2013 15:21:01
Begin Time: 10/03/2013 14:54:52
End Time: 10/03/2013 15:19:56
Occurrence: 275
Signature Name: System Infected: Backdoor Houdini Activity
Signature ID: 27071
Signature Sub ID: 66270
Intrusion URL: ffff99fff.no-ip.biz:99/is-ready
Intrusion Payload URL: N/A
Event Description: [SID: 27071] System Infected: Backdoor Houdini Activity attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WSCRIPT.EXE
Event Type: Intrusion Prevention
Hack Type: 0
Severity: Critical
Application Name: /DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/WSCRIPT.EXE
Network Protocol: TCP
Traffic Direction: Inbound
Remote IP: 172.16.100.2
Remote MAC: N/A
Remote Host Name: N/A
Alert: 1
Local Port: 3831
Remote Port: 8080
 
.Brian's picture

Have you gotten this figured out?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

raghu.mc's picture

I too have a system showing this continuously. Please suggest removal!

.Brian's picture

Are the attempts coming from an external address and is it being blocked? If so, SEP is doing its job by protecting you against this.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

MexicoKnight's picture

erm i had the same problem, i know the programme is helping but it keeps popping up, will it stop in a sense that it will stop attacking?

.Brian's picture

Is the attacking IP remote or something on your internal LAN?

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

You can also create a firewall rule to block the offending IP.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

You're welcome. Let me know how it goes.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

MexicoKnight's picture

so far it has stopped popping up on my screen so i have probably successfully blocked the ip so thanks ,however what happen if my subscribtion to the programme is over and i didnt immediatly renew it , will the attack come back immediatly?

.Brian's picture

assuming you're running an unmanaged client, there is no expiration.

Is this SEP?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

MexicoKnight's picture

alright didnt know that, now i know thanks alot for the help, i had a panic attack for a second there when that pops up now its solved thanks!

.Brian's picture

happy to help :)

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

dav92178's picture

Download pskill.exe

Then create a .BAT file with the following:

REM kill wscript process to free up vbs file
.\pskill.exe -accepteula wscript
 
REM alternate method
taskkill /f /im wscript.exe
 
 
REM For XP Systems
REM del c:\documents and settings\userID\local settings\temp\*.vbs
cd %temp%
attrib -h -s *.vbs
attrib -h -s *.vbe
del *.vbs
del *.vbe
 
REM del c:\documents and settings\userID\start menu\programs\startup\*.vbs
 
cd ..
cd ..
 
cd "Start Menu"
cd Programs
cd Startup
 
attrib -h -s *.vbs
attrib -h -s *.vbe
del *.vbs
del *.vbe
 
REM For Windows 7
REM del C:\Users\userID\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\*.vbs
cd %appdata%\Microsoft\Windows\Start Menu\Programs\
attrib -h -s *.vbs
attrib -h -s *.vbe
del *.vbs
del *.vbe
 
REM del C:\Users\userID\AppData\Local\Temp\*.vbs
cd %temp%
attrib -h -s *.vbs
attrib -h -s *.vbe
del *.vbs
del *.vbe
 
REM Clean any attached USB drive:
 
d:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
e:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
f:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
g:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
h:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
i:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
j:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
k:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
l:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
m:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
n:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
o:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
p:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
q:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
r:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
s:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
t:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
u:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
v:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
w:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
x:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
y:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
z:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
a:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
b:
attrib -h -s *.*
del *.lnk
del *.vbs
del *.vbe
 
exit
 
enjoy!
saikumar's picture

Dont get upset guys

Just install cc cleaner

run cccleaner->tools->startup

most of the cases it was script file with .vbs extension

other wise delete .exe files from startup you have ever known

restart your system

 

 

HOPE THIS WORKS

Mick2009's picture

Followers of this thread may be interested to know that Symantec has now released an enhanced heuristic detection against this family of threats.  More details can be found at:

VBS.Dunihi!gen1
http://www.symantec.com/security_response/writeup.jsp?docid=2014-011312-0745-99

With thanks and best regards,

Mick

.Brian's picture

Do you need more assistance with your problem or were you able to get it resolved?

If you could post an update for followers of this thread that would be most helpful.

Otherwise, if resolved, you can close the thread out by clicking the "Mark as solution" link at the bottom left on the most helpful post.

Thanks and take care,
Brian

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.