Last week, several of my users receved a targeted email which looked like it was sent by RIBA in the UK, and had only one spelling mistake (which gave it away). The mail was forwarded on to me to check. The email had a word document that said the user had to run the macro attached to see what the document says. This macro creates a randomly named exe file, runs it, creates the registry key ADCBA753-DDBC-83D7-A662-3CA44878B697, adds it to the start up processes, and tries to connect to Ntemegreto.ru which at time of analyis connects to 88.198.11.14 via netbios. At no point did Synamtec Endpoint Protection detect this know infection, so i contacted the support as this was a major concern and got through to a technical support agent who after checking all of the possible things that could be stopping it from happening agreed that it was a problem escalated to the next level of support.
They tried blaming vairous programs that were installed on the machine (such as wireshark) for the issue but after sending in even more data agreed that it was a problem and was very concerned about this but only offered tips on securing a network without an explination on the actual problem, so the agent suggested I send an email to them which I have not recevied any reply to at all.
Obviously, this is unacceptable as the issue was initially reported over a week ago, and we are no closer to getting a resolution or any assurances that Symantec are even looking into the threat. Please see below the email which was sent to Symantec.
As discussed, I would like you to investigate why Endpoint Protection hasn’t picked up the the aforementioned malware. Please find below an outline of the current setup and explanation of what has happened thus far:
Issue: The problem we are currently having is that Symantec Endpoint Protection is not detecting a piece of malware (
Setup: Windows 7 Professional, running on a virtual machine hosted on Hyper-V, which was connected to the Synamtec Management Console to fully update with the newest defenitions. The virtual machine was then disconnected from the network and in a sealed environment to prevent the malware spreading.
Process: The email was then opened, the Word (.docx) file was saved to the computer, and then the contained macro that contains the malware was allowed to run. The exe file that was created was then scanned, and at no point was the malware detected, even after a restart of the computer the malware was still no found. A full scan eventually detected the running process, but not until well after the initial infection was able to spread. It was eventually picked up as the Trojan.Zbot!gen19 infection, which Symantec are aware of (here: http://www.symantec.com/security_response/writeup.jsp?docid=2011-052508-4728-99 )
The extra software you mentioned (Wireshark, Process Explorer, both legitimate programs) were added after the initial test to allow me to analyse the infection and had no effect on the running of Synamtec Endpoint Protection.
I look forward to hearing from you, please let me know if you require further information regarding this case.
Thanks