Endpoint Protection

 View Only
Expand all | Collapse all

we've found a new BIG one.....

Migration User

Migration UserJan 11, 2011 07:41 PM

Migration User

Migration UserJan 11, 2011 07:42 PM

Migration User

Migration UserJan 12, 2011 10:26 AM

  • 1.  we've found a new BIG one.....

    Posted Jan 11, 2011 12:10 PM

    Well, maybe. LEt's see if my peers here, or Symantec knows what's up.

    About a month ago (MAYBE UNRELATED!) a user in a particular office hit a web site that "infected" his computer. SEP didn't find it, I did manually through remote means, and it appeared the machine was clean.

    The office has been experiencing really slow network and web performance.  We've  noted on the switch (a Cisco 2950) that some of the ports were showing huge amounts of TRANSMIT packets. Our ISP said that at one point we were using 75% of our UPLOAD bandwidth. This is a small office with like 20 computers in it, and only half of those in use at one time.

    Well, yesterday a person said they could not login. The message was the logon service wasn't running. Remote logons failed, RPC failed, etc. Can't even push the RU6 MP2 upgrade because of the lack of logon service.

    Today another computer in the same office has the same issue - we started to get nervious  and met about it. When we left the meeting (1 hour) FOUR more computers stopped the logon service.

    Last week we had an IT person go to that office and run MalwareBytes antimalware and full SEP scans (not at the same time, but you know what I mean) she spent the day there running scans, and installed MBAM and it said "nothing found". Manual checks for hidden stuff came up clean.

    However, we know something is up  - 6 computers in that office suddenly can't be logged on to, and remote access to them is gone.

    Last week when we'd shut down a switch port that was showing a lot of transmit traffic, a few minutes later another port would show large outbound traffic. It was like it moved around. It's not coming down the VPN tunnel, but seems web-bound.

    Thoughts? SEP says clean, MBAM says clean!



  • 2.  RE: we've found a new BIG one.....

    Posted Jan 11, 2011 12:29 PM

    In the few minutes since that post, a couple more computers now can't be logged in to, the logon service is not running and will not start with a restart. No one can log on, or connect to use remote management. So there IS something in that office - but what shuts off that service, what is NOT found by SEP or by MBAM, and what sits quietly in the background occasionally flooding our up-side with transmit packets, then stops and moves to a different computer?

    SEP is still communicating to the SEPM server back here - at least for the most part. I see now that two computers don't have the green light, but then those ports might have been shut down. We're trying to do traces/captures, and then will turn off the switch ports to effectivly kill the computers as far as network access.

    Tomorrow, they ALL get new ghost images.....

    This is Windows 7, SEP RU6 MP1 although I did get MP2 pushed out to one computer.



  • 3.  RE: we've found a new BIG one.....

    Posted Jan 11, 2011 12:43 PM

    Do you have a proxy? Check the inbound/outbound traffic.

    Do numerous users log onto one PC? Check to see what profiles are/were logged in over the past few days.

    Check your SEPM NTP logs for any weird traffic.



  • 4.  RE: we've found a new BIG one.....

    Posted Jan 11, 2011 01:00 PM

    Very odd.  I haven't personally seen anything like it.  Under normal circumstances I would suggest the Network Activity Tool but if the machines can't be logged into...

    Rootkit is a possibility, in which case re-imaging would be the best bet for security, but if it is something new I'm sure Security Response would like to get a sample.

    sandra



  • 5.  RE: we've found a new BIG one.....

    Posted Jan 11, 2011 01:02 PM

    No proxy.

    Computers all connect to a Cisco switch, which connects to an ASA5505, split tunnel. Web traffic hits the Internet directly, all of our traffic goes down the tunnel to this office.

    A trace just a bit ago shows all machines now very quiet - in fact, it's like they are now disabled and unable to deal with the domain, etc. (but some are still communicating to the SEPM)



  • 6.  RE: we've found a new BIG one.....

    Posted Jan 11, 2011 01:12 PM

    I'm just shocked the MIGHTY mbam didn't find anything, definitely can't be some sort of infection cool

    But in all seriousness, wireshark should show something. You can try Process Explorer or Process Monitor on a suspect machine but that may not show anything. Can you boot into safemode?

    So is this happening at certain times or random? Can your ISP see the type of traffic it is>

    It sounds like your just going to image them, which is good. Hopefully that clears it up assuming it was some sort of malware.



  • 7.  RE: we've found a new BIG one.....

    Posted Jan 11, 2011 01:37 PM

    Give Hitman Pro a try.  MBAM may have become too good for its own good being the most popular malware tool out there, and not possibly being disabled via new viruses.

     

    http://www.surfright.nl/en/downloads



  • 8.  RE: we've found a new BIG one.....

    Posted Jan 11, 2011 04:53 PM

    Sandra if I get a sample, or at least some details.......... I'll pass them along.

    Reimaging if the fastest most reliable way, but it doesn't take into account the need to figure out what it was, how it got in, and how to stop or prevent it in the future.

    So, we're going to ask that one computer be preserved, that they take a spare along to use in its place.



  • 9.  RE: we've found a new BIG one.....

    Posted Jan 11, 2011 05:18 PM

    Hello,

    Do you run SEP with IPS module ?

    IPS module can catch some worms maybe in the traffic ?

     

    Regards,

    Oykun



  • 10.  RE: we've found a new BIG one.....

    Posted Jan 11, 2011 07:05 PM

    If it's new it sounds more like PTP may catch it. Sounds like it's something brand new.

    Take an image of the drive. Then you can mount it in linux and run forensics and investigate it all you want.



  • 11.  RE: we've found a new BIG one.....

    Posted Jan 11, 2011 07:36 PM

    If it's web based, I'm guessing it's using the default port 80. There is also a possiblity that it is a new variant of an old malware. I think it will either be tagged as Trojan.gen (which doesn't say much) or Lovgate.

    As far as fixing it goes, reimaging is a surefire way. If it has disabled the user's ability to logon, then it must have disabled AD or blocked access to the DNS server locally (port 88 or 445). And most likely it uses one of the services reserved for the System user.

    How about Safe mode...hopefully (with fingers crossed) the malware is disabled due to the unavailability of the service it uses. Then probably use the forensic tools here. Load Point analysis tools. And while there, create a temporary local account to be able to log-in locally.



  • 12.  RE: we've found a new BIG one.....

    Posted Jan 11, 2011 07:41 PM

    So sorry



  • 13.  RE: we've found a new BIG one.....

    Posted Jan 11, 2011 07:42 PM

    [multi-post] network hiccups...sorry.



  • 14.  RE: we've found a new BIG one.....

    Posted Jan 12, 2011 07:54 AM

    There is the winlogon service, but no logon service that I know of.

    Sounds like you have some sort of botnet. It is came from the web the biggest exploit kits out there now are Zeus, Eleonore, Mpack, etc.

    Getting an image of one of those hard drives will give you a chance to do forensics on it.

    Luckily, you can just re-image everything so you should be good but it would be nice to know what you had



  • 15.  RE: we've found a new BIG one.....

    Posted Jan 12, 2011 08:01 AM

    We run full SEP - some who are familiar with me here might know that I also have put in place some "special" application blocking - blocking certain files from even forming or being placed in parts of the user profile, etc. - and blocking certain files from the IE cache - and bloodhound is set to max. SEP is not only fully there, it's turned up to max in most settings, PLUS I've added some funky and strict app control rules and block quite a few sites via custom IPS rules. In fact I'm so strict, they can't update JAVA, can't use some of the webinar software, can't install much of anything, even with admin rights, as I've got SEP nailed down hard.

    So this is "personal" LOL - it's beat me!  ;-)   Seriously, though - it's not the domain that's blocked, LOGON service has been stopped! Communications is open with the DCs - I can see that in packet logs.  In other words, even a LOCAL administrator can't log on when it's not on the network. No one can logon. RPC is disabled, WMI based scripts won't run (can't do a remote reboot with a WMI-based VB Script) can't push software using SEP's deploy tool as can't logon - logon service is disabled. So whatever it is, it's clever.

    Question - there is no service named "logon" so is this the LSM that it's hitting? What is called the "logon service". Example  -you try to get to \\computername\c$ and get the message that the "logon service is stopped" etc.  And local folks at the computer also get a message that the logon service is stopped. Since there is no service in the list called "logon" what is it really?? If I knew that.............. maybe time for a google............

    PS - Sandra - thank you for the reminder on that Symantec network tool! I've used it in the past, but with my ADD issues, I forgot all about it this time! WOW, I wish I'd have thought about that on Monday. I'm going to print that page and keep it handy. That's the sort of thing i love about support forums - we get a knock in the head reminder now and then as even simple things can be overlooked.



  • 16.  RE: we've found a new BIG one.....

    Posted Jan 12, 2011 10:26 AM

    You're welcome!smiley

    sandra



  • 17.  RE: we've found a new BIG one.....

    Posted Jan 12, 2011 01:51 PM

    Curious if a particular application or OS exploit was used, which would negate any SEP protection..  Especially if IPS was/is slow to update against those attacks?  

     

    Any chance you got to try hitman pro, or other malware scanning tools other than MBAM?  



  • 18.  RE: we've found a new BIG one.....

    Posted Jan 13, 2011 09:45 AM

    The security logs show that a file called SYSFER.DLL is causing logon errors...... it's identified as a Symantec file and dated 1.11.2011

    What????

    Does this file interact with SMB2 or SMB1?

    What if SMB2 is set to disabled?

    What does SYSFER.DLL have to do with this, and why is the Windows security logs showing this file is involved with ALL Failed logon attempts??



  • 19.  RE: we've found a new BIG one.....

    Posted Jan 13, 2011 09:51 AM

    I have a sysfer.dll file located in C:/Windows/system32 but nothing in the main SEP install folder....also mine is dated 12/9/2010

    Not sure what the file is, I would probably open a case on this one.



  • 20.  RE: we've found a new BIG one.....

    Posted Jan 13, 2011 10:01 AM

    It's in the Windows\system32 folder

    c:\windows\system32\sysfer.dll

    Code integrity determined that the page hashes of an image file are not valid.  This file could be improperly signed blah blah blah..........

    Properties of the file show it to be a Symantec file.

    This is associated with failed logon attempts on the computers that were blocking logons.



  • 21.  RE: we've found a new BIG one.....

    Posted Jan 13, 2011 10:27 AM

    I do have a sysfer.dll.bak in the main SEP install folder but again I have no clue what this file is.

    Google found this:

    sysfer.dll is a sysfer belonging to Symantec CMC Firewall from Symantec Corporation

     

    Found this as well but doubt it helps much

    https://www-secure.symantec.com/connect/forums/problems-sysferdll-code-integrity



  • 22.  RE: we've found a new BIG one.....

    Posted Jan 13, 2011 12:06 PM

    sysfer.dll is the main file of NTP that goes in with the LAN Drivers and monitors the traffic..I don't remember too much about this file but it does sit just above the kernel