Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Weatherbug and Fragus Toolkit Request 1 question

Created: 29 Nov 2010 | 8 comments

Hi all,

I have been redirected to this forum regarding my question on the Norton forum at http://community.norton.com/t5/Norton-Internet-Security-Norton/HTTP-Fragus-Toolkit-Request-1/m-p/335525/highlight/false . (I am a DoD employee with the free version of SEP for home use. Symantec Endpoint Protection version 11.0.5002.333)

I am new to the community and don't know much about hunting down virus's so bear with me.

My Norton SEP also has captured these processes:

11/26/2010 12:59:42 PM (CST)

[SID: 23987] HTTP Dragon Toolkit Activity detected.
Traffic has been blocked from this application: C:\Program Files (x86)\AWS\WeatherBug\Weather.exe

(Same DTG)

Traffic from IP address 91.213.217.191 is blocked from 11/26/2010 12:58:41 PM to 11/26/2010 1:08:41 PM.

11/29/2010 12:12:42 AM (CST)

[SID: 23974] HTTP Fragus Toolkit Request 1 detected.
Traffic has been blocked from this application: C:\Program Files (x86)\AWS\WeatherBug\Weather.exe

I've had Weatherbug on my machine for several months with no issues and there are no other entries in my security log that reflect malicious activity. ((The Weatherbug has lots of adds embedded and if I understand what the whitepaper on Fragus Toolkit is saying I have a suspicion the adds are the weak link))

I have removed Weatherbug and done a complete scan with SEP version 11.0.5002.333 with no signatures detected.

Is there any reason for concern? And why would my log be clean except for those 3 entries for the last 9 months? (How long does the security log maintain its record?)

  

Comments 8 CommentsJump to latest comment

.Brian's picture

The Fragus toolkit is HTTP based meaning it tries to exploit vulnerabilities in your web browser (HTTP over port 80)

As long as your getting notified by SEP, that means SEP is doing its job in blocking it.

Perhaps Weatherbug's ads point to links that are malicious and re-direct to a Fragus exploit attempt.

Since you are being notified by SEP, it is being blocked. You could block the IP altogether with your firewall/gateway.

Make sure weatherbug is fully removed (in the directory structure as well as the registry) and you should be fine.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

visitor101's picture

Ok, thank you for your help. Hopefully all the registry entries for weatherbug have been removed by my registry cleaner but will take a look at it as well.

The log says it was outbound from my PC to the IP that was blocked. 

Could a virus/script (?)  like this gather my IP and use it for a Denial of Service attack or overload my memory/processor with junk even if it was blocked by SEP? Could it have delivered its payload beforehand (I guess is really what I'm asking)?

BNH's picture

As we just

updated HTTP Fragus Toolkit Request 1 signature on SU239 [23 Nov 2010] and
added HTTP Dragon Toolkit Activity on SU240 [24 Nov 2010]

I guess best to have your machine checked for possible malware infection.

You can use our Power Eraser tool to scan your machine again and see if there is anything there.

You can also add the suspect IP addresses to your block list and see if there are more connection attempt coming out since you uninstall your weatherbug tool.

as Brian81 said : it might be a rogue ad being served hence the detection is triggered.

-- Got new virus ? Try update your defs here : ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rap... --

Pawel Lakomski's picture

I agree to check the machine with Power Eraser (just be careful not to delete something useful ;) as well as use Symantec Endpoint Recovery Tool (Live CD):

http://www.symantec.com/business/support/index?pag...

--

Cheers,

Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator

 

khaskins82's picture

I have considered weatherbug a threat for many years. We block the website and the download url. It is removed from the clients by an Altiris job monthly. We used wireshark to examine the traffic. There is alot of traffic to weatherbug site so we killed it.

 

Also watch out for coupon printer as well.

 

Vikram Kumar-SAV to SEP's picture

Since you have removed Weather.exe you have fixed your issue..no need to do anything else as SEP was already blocking it.

The logs are kept on number like recent 100 logs

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

visitor101's picture

I was able to find and run Power Eraser. It came up clean.

I have also added the offensive IP to my block list and tagged it to report both outgoing and incoming traffic.

Because the SEP I have was downloaded through the Army's AKO (for DoD employees home use) I don't have a live cd for the recovery tool, but I will check the site tomorrow to see if they have any of the iso images available; which they probably do not as the site usually refers us to the manufacturer of the available products.

Fortunately it is just my home computer which was completely rebuilt last spring. With weatherbug removed, I feel a bit more comfortable with the situation. If the firewall detects any activity to that IP I will most likely just do a full wipe of the drive and reinstall.

I have been using Advanced SystemCare Professional 3.7.2 to run registry and system checks for broken or invalid items. Other than that, I don't know enough about the Windows 7 registry to go hunting for Weatherbug entries.

I am more confident that the issue is resolved after visiting this forum. Thank you all for your feedback and assistance.

.Brian's picture

If SEP is alerting you that it is blocking it, you shouldn't have to rebuild your system. Especially if other scans are coming up clean. SEP is doing its job, you should be fine.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.