Endpoint Protection

We have 18 servers and 60 odd workstations in four offices.

We have Symantec Corporate loaded on every machine.

On Thursday, I noted that one of our servers was getting a remote access error (Event ID 20089).

So on my workstation, I pulled up Google Chrome and entered a search as: Event Viewer Event ID 20089

I clicked on one of the entries in the results that was maybe 3 or 4 down in the results.

BANG ZOOM, I AM SCREWED!!!

Three minutes later, I get a pop up telling me that my computer is infected with Generic Dropper.js.  Seconds later, another window pops up with another notification.  Almost immediately, I get a window that pops up that looks like an anti-virus program that is scanning my drive.  I figure that it is a flash program simulating an antivirus (AntiSpyware Soft), but I am bombarded again with other messages. 

IE opens to www.antivirusvrsystem.com.  Fortunately, they know exactly what is going on.  It is ransomware!!

ted to the computer remotely via GoToMyPC so I cannot rip the network cable out of the machine (or the wall).

I run to the computer room and pull out the cable.  I run Symantec on a variety of servers and I do not see any problem.

I go back to my workstation.

Symantec has finally woken up to the fact that there is an attack.  Sadly, way too late.

I run Symantec and the client on the machine tells me that it was updated yesterday.  YESTERDAY!!?

I take the machine home with me to see if I can fix it.

I run VIPRE against it.  No good.

I run TrendMicro against it from a USB.  After 20 hours, no good.

I run KasperskyLabs against it. Another 20 hours (big drive) and still no good.

Symantec continues to 'find' the virus after Kaspersky finds it.

Maybe Kaspersky and the others cannot find it because Symantec is still on there.

But after 4 full days I am thinking it is time to format the hard drive.

For TrendMicro and Kaspersky, I started in safe mode with only the command prompt.

After running Kaspersky several times, my machine is full of files that say porno this or porno that.

I am really not happy with Symantec for not stopping the virus.

Kaspersky is done and reports no more errors.  But the damage is done.

I cannot connect to the internet.    This was my DEV machine, but I don't think I could trust it back on the network.

Any comments will be welcome.

Feeling plenty screwed...

Paul

P.S. I spent much of the past 8 hours configuring a new machine and still have 30 hours to to get the machine to where it was...

Question: for the forum names, why is there no forum called 'AntiVirus'.  Why is it hidden under an abstraction called 'End Point'?

P.S., Our signature file was dated the day before on 4/28.

Do you have SAV or SEP?
Were you logged into your workstation as local or domain admin??
Or had priveleged account levels?
Do you know the exact website you visited?

I would start up in safe mode and scan with SEP and/or use the SERT tool to boot from and scan without the OS and/or virus being loaded.
Check the following KB for info on the SERT tool - http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/750ab70cd21259ae88257706004bafc9?OpenDocument

If you can't do that, then you could pull the drive and put it in another machine.

Hope you get it all sorted out...

SAV10 served a purpose at one time but the technology just can't keep up with the new threats. Hence the reason SEP is available and SAV10 will be EoL in 2012. SEP won't catch everything either but it protects much better than SAV10. I feel your pain because I support SAV10 today but we are moving to SEP soon.

Signature based AV is a comodity at this point

This story really gets old . . . . .

1. These variants change so often, hundreds of times a day, that it's impossible to have a signature for all of them
2. Just running AV/AS will NOT suffice any more
3. Implement an Application and Device Control policy and you will see these types of infections dramatically decrease if not go away, depending on how good it is

It's a bad time for malware and it's only going to get worse. New methods need to be implemented and drastic measures taken. AV alone will not get it done anymore.

There is no product out there that will stop this.

Try running Malwarebytes on it.

Dear Zer0,

I appreciate your questions and will answer as best as I can...

I don't know which is which.  It says Symantec AntiVirus.

I was logged in as myself.  I had recently been removed from the administrator role because of a problem with our BES.

I do not know the exact website that I visited and I am terrified of visiting it again.  Of course when I check the history in IE it is all wiped out except for porno.com  and porno.org and of course http://antivirusvrsystem.com/purchase?r=75&pgid=1

Of course, all of the other history, like where I got infected, has been wiped out.

Question: This will sound naive, but will the FBI stop this or is that just a dream?

 

Hopefully one last question.  Is there any combination of different Anti-Virus products that make sense to use at the same time?  They seem to fight each other when your run them together.

no AV vendors recommend running two AV at the same time, as Autoprotect feature of the AV;s might access same resource and get into conflict mode.

You might use the SEP IPS signature and application control to fight against threat.

pemurray,
  You filed this post of yours as :
Filed under: Endpoint Protection (AntiVirus) - 9.x and Earlier, Endpoint Protection (AntiVirus) - 10.x, Endpoint Protection (AntiVirus), Troubleshooting, Security

It's important to note, that SAV 10 and older is way past it's prime.  Version 11, also known as Symantec Endpoint Protection (SEP), has been out for near 3 years now.  SAV 10x is nearing it's end of life and will no longer be supported soon.  SAV 9, is NOT supported at all.  

That said, today's viruses are not typical viruses.  Today's viruses, actually start out exploiting a Windows or some other application vulnerability (Flash, PDF, etc).
Once that application is compromised, the virus auther typically has control of your PC, to install whatever software he wants, aka, the ransom-ware you experienced.

SEP was designed with today's threats in mind.  It was designed to advance further than traditional signature based protection, that will do nothing once an application is compromised, privledges elevated, and applications installed.  

One such component in SEP called IPS or Intrusion Protection Service, would analyze network traffic coming into the PC, and see that some type of traffic matches a particular application attack/vulnerability.  This would stop a good number of today's threats, a good number of today's more common threats.  

Then there is TruScan and ProActive Protection, both of those technologies also offer some more advanced scanning, much beyond traditional AV.




That said, it's unfortunate you got hit, but in order to stay on top of your security, you need to also stay current with your security products.  Based on the size of your environment, you may also want to consider the Small Business Edition of SEP.  It's targeted at companies under 100 computers (servers included) but works for up to 1500 computers.  It's easier to administer, and simpler to deploy.  You can have it up and running with clients deployed in less than 30 minutes.  SEP can take much much longer.

The old days are gone fellas. This isn't the 1990's for threats any more.
Time to upgrade our thinking and way of doing things.
I use Symantec's "Norton Safe Search" (in beta now but wow, has it done a good job) and I use my APPLICATION CONTROL policies here at work. These policies are pro-active. Nothing runs in the user profil unless I grant it an exception to my rules (posted in an article here about blocking BHOs and such)
I've gotten emails from friends asking "Why did my McAfee let me down" and here I see "how did Sophos let this in".
These risks like another forum member pointed out already, change daily, gee, more than that! The servers or rather URLs move from server to server daily. See my other posts here on how I see people buying domain names by the dozens EVERY DAY so they can keep their malware moving.
IT's organized cime now. It's no longer bored script-kiddies out busting windshields on a boring Saturday night to see how many they can break before a porch light comes on. They make big bucks now.
There are online services that will let them know when their malware can be detected by Symantec and others!!!! They get ALERTS! So then they modify the code, or else the threat does this itself, and they move it to a different IP address so your forward-thinking firewall rules will block it, right? Wrong - they are a step ahead of you always. It's their full-time job, and there's hundreds of thousands of dollars involved.....
You and I - we are at war, and unfortunately, the U.S. Senate and Congress "just don't get it" in their own protected little worlds. So they legalize spam in the guise of protecting free speech while Europe and Australia get REALLY MAD at us for allowing this stuff to exist and propegate from our soil. Yes, those domains I referred to above - that's right, here in the central United States! MANY of them in WASHINGTON DC itself. WOW.
So we are on our own so far in this war. We partner with folks like Symantec. We submit everything we know - samples, and such. We get creative and make APPLICATION CONTROL RULES. We boycott folks like Google and their browser, Chrome, that breaks the rules and installs without admin permission in the USER PROFILE area (I pretty much avoid anyting that pushes itself into that, bypassing Windows standards and security, so CHROME and all Google "products" are banned and blocked here at work!)
If it doesn't install properly in the Program Files area with Windows standards, then it probably won't install and run here, and has that ever slowed up the malware in this place!
(see my article with sample DAT files for application control - WARNING - THEY ARE ROUGH! I'm not a coder, I don't do clean logical work, so they need cleaned up, but you can get the idea from them! I'm a hyper admin with ADD so view them with that in mind  LOL)

So very true, great post.

I appreciate everyone taking so much time to post their views and helpful suggestions with respect to our ransomware attack.

I finally decided to scratch the drive which is unfortunate because of the many, many hours required to get it to Service Pack 3, install three versions of .Net framework, several SDK's, application development tools, FTP tools, ISO tools, graphics tools, XML tools and on and on and on.  I can't risk putting that puppy back on the network to wreak havoc everywhere.

When you consider how virulent these viruses can be, it is a real wake up call (a rude one) letting you know, as aptly put by 'ShadowsPapa' that the old days are gone, and we are the victims of organized crime.

Thanks everyone!!

Paul

I wish symantec endpoint protection could do the same function as 360 does on preventing a fake av infecting your computer. Sad that it does not. 

Someone please explain to me how these malware people are making money? Do people really buy the fake protection in the malware attacks? Am I niave in thinking people can tell the difference between what they AV/AS software they own and what is a new message and find someone knowledgeable if they don't before shelling out money? I recall Gates and AV companies getting together a ways back to address the growing threat. Seems things just got worse. Government will not act until these politicians begin to have issues. Seriously, why aren't they having issues? Do malware attacks only go after the public? Conspiracy theory says that money is paid to congress to allow malware which is developed to keep a reasonable threat to the public to and keep a need for AV/AS software demand. Why has MS not developed a legit AV/AS software? They are into everything else? Was that the real reason for the meeting? Seriously, I don't see malware/adware as rogue hackers looking to make some money by sending attacks at your PC. Bright rogue minds have easier ways of making money with less effort.

>>Someone please explain to me how these malware people are making money? Do people really buy the fake protection in the malware attacks? <<

Uh, yes! IT's a DUH. You still get spam, don't you? It's because fools (there's 10,000 born every minute) DO fall for it!
Computers have been dumbed down so any fool can operate them. It's so MS can sell software and vendors can sell hardware.
Otherwise, those who should be using computers, or know anything about them already have computers - the market would dry up for new sales. So let's dumb-down computers so anyone who breathes can have one. Just like the Publishers Clearinghouse stuff, there are folks who constantaly fall for such !@#$.

>>Am I niave in thinking people can tell the difference between what they AV/AS software they own and what is a new message and find someone knowledgeable if they don't before shelling out money?<<

Yeah, sorry.

>>I recall Gates and AV companies getting together a ways back to address the growing threat. Seems things just got worse.<<
New technology, and a LOT of out of work folks or under-employed folks and the promise of big $$......

>> Government will not act until these politicians begin to have issues. Seriously, why aren't they having issues? <<
They don't read their own email. Besides, "free speech" and the lobbies........ again, $$. Advertisers screamed "you'll put us out of business".

>>Do malware attacks only go after the public? Conspiracy theory says that money is paid to congress to allow malware which is developed to keep a reasonable threat to the public to and keep a need for AV/AS software demand. <<
LOL - sorry, bunk. There's no need for conspiracy when reality is good enough.

>>Why has MS not developed a legit AV/AS software?<<
MS develope anything that's any good?? WOW LOL Even their disk defragger is crap, almost every "utility" they come up with is garbage.  They've tried and failed. It's not that simple, either.......... to make it complicated to infect, you have to make it more complex to run the computer, it's a catch-22.

>>They are into everything else? Was that the real reason for the meeting? Seriously, I don't see malware/adware as rogue hackers looking to make some money by sending attacks at your PC. Bright rogue minds have easier ways of making money with less effort.<<

I guess you don't realize the scope of organized crime, or even the sweat-shops that run this stuff, do you?  Once you have dealt with the Russian mafia and other crime groups as I have - you'd see.............. it's not just high school kids looking to make a buck. (although there's been some of them in small towns in Iowa doing phishing and other things, too)
Besides, even those small groups or individuals that are doing it can rake in more dough doing this stuff than you can imagine. No, there's really not a more simple way to make big fast easy money - and never leave your own apartment or invest any real money! I can't think of any legit way to make the money that these people can make in such short order with no effort or investment, and not leave home to do it. The coding isn't that complex for them. Investments in equipment is very small.
What? Stuffing envelopes at home? Investing in real estate? Playing the stock market? Some of these folks even manipulate some stocks to make money..................
Let's ask another question to cover those small-time hoods that are doing this stuff - why do kids go out on Saturday night and bash windshields? Answer that one........
What about busting mail boxes with a baseball bat - why do some find that fun?
Why do still others go out at night and shoot horses and cattle around the neighborhood?
When you can answer all of these questions - then you'll have a good start.
Why does anyone do anything?

I guess I forgot to mention- sometimes it's not "fools" but ordinary folks who get duped.
Bad or poisened links - they do a google search, google is fooled, shows them the proper info, but the link is actually a bogus redirect to an infected site that tells them to view the page they want, they need to install something, etc.................
Social engineering, trickery, redirects, poisening, replacing good FLASH ads with comprimised FLASH, etc.

Also check this out........
http://isc.sans.edu/index.html

Here's a snippet - don't want to violate copyrights, etc. - so please visit their site to learn more and see the whole thing:
--------------------------------------------------------------

If you have been following campaigns by the RogueAV guys you probably noticed that they very quickly poison search engines with the latest events/keywords. The poisoning part is, of course, completely automated and partially done by the script I will talk about.

The scripts that are used are almost exclusively set on compromised web sites. They are mainly interested in web sites running Apache with PHP, of course. It looks like in many cases they are abusing incorrect installations or known vulnerabilities such as open TinyMCE editors. In any case, their goal is to install couple of PHP scripts on those compromised servers. The scripts will allow them to setup poisoning campaigns, offer redirections to other sites serving RogueAV, but at the same time to also conceal their activities as much as possible since they don't want the real owner to find out that his site has been compromised.

This means that the attackers modify the web site, but in such a way that the web site continues to operate normally, unless special parameters/keywords are used! So there are probably thousands of such compromised web sites which the attackers are not using at the moment. Since the scripts allow automatic updates they can use them at any time and configure for a specific campaign in a matter of seconds.

Also, don't forget the 10% rule...  IT's what Spammers thrive on!  That and Fear! 

The  10% rule says, send 1 million spam messages, 100,000 will get the link clicked.
10,000 will browse what you are spamming
1,000 of them, might buy something.

For 500$ for 1 million messages sent, but 1,000 people purchaing for 30$ a head...  They make their money's worth and than some... 

Based on that rule alone, 3rd party Merchant Account Processors- not the legit kind like Verisign; made lots and lots of $$... 

The FEAR factor also accounts for a lot. 

How much will it cost to bring "my machine" to the shop to get repaired VS. If I purchase this software right now, that claims it will remove the virus for only 40$, I can save the trouble of calling my neighbour's, friends, nephew's, little buddy that knows computers...  Or something in that sense...

>>Hopefully one last question.  Is there any combination of different Anti-Virus products that make sense to use at the same time?  They seem to fight each other when your run them together.

If you have a single offending file that needs to be scrutinized, VirusTotal can help you. But I believe they have a size restriction on the total size of the file that you can upload or email to scan@virustotal.com