Endpoint Protection

 View Only
Expand all | Collapse all

Non Admin Spyware Crossing the Line

  • 1.  Non Admin Spyware Crossing the Line

    Posted Oct 27, 2009 05:10 PM

    We just had our instance of a machine being infected with the end user running with non-admin privlideges. I have never seen a piece of malware able to get code into the System32 folder when a user is non-privlidged. SEP 11 MR5 did not stand a chance once this piece of code got on the machine. How can we protect ourselves when SEP is not stopping this stuff? Why do we have SEP if it cannot stop today's threats? We are one step ahead of most with all of our users running in non-admin mode. We submitted some of the code to Virus Total and only a handful of the engines were able to identify it. This is hard to believe. Below is the threat.

    Security Risk Found!Trojan.Vundo in File: C:\Documents and Settings\All Users\Application Data\tinajepu\tinajepu.dll by: Auto-Protect scan. Action: Process or service must be halted. Action Description:



  • 2.  RE: Non Admin Spyware Crossing the Line

    Posted Oct 27, 2009 05:20 PM
     These threats take advantage of 0-day or known vulnerabilities that has not been patched and do Buffer Overflow attack and take elevated priviledge.

    The Trojan.Vundo ususally inserts Rootkit and starts downloading other threats.
    Would suggest you to download Rapidrelease defs from the symantec ftp site.
    Run a full scan in safe mode. (as 3rd party services won't be started even viral service wont be started and sep would easily delete it )

    Submit viral samples to symantec at https://submit.symantec.com so that they can releasedefs for these.



  • 3.  RE: Non Admin Spyware Crossing the Line

    Posted Oct 27, 2009 05:32 PM
    While I wrote this just had a terminal server user get a piece of malware that luckily could not transition into the system areas of the box. Symantec did not pickup the file. Submitted the file to Virus Total and several other verndors were able to pick up the file.


  • 4.  RE: Non Admin Spyware Crossing the Line
    Best Answer

    Posted Oct 27, 2009 05:38 PM
    When you submit the files at virustotal or threatexpert at the same time you can submit to
    https://submit.symantec.com/basic
    https://submit.symantec.com/gold
    https://submit.symantec.com/BCS
    https://submit.symantec.com/essential

    whichever support contact you have by doing this you wont be just helping yourself but also other Symantec users who might get infected with the same file.

    Virustotal is a good site for analysis but its more tilted towards BlackHats as whatever files you submit they do not forward it to any AV companies

    you can also try http://www.threatexpert.com/ its a good one aswell as it tells you what all places it has installed itself.



  • 5.  RE: Non Admin Spyware Crossing the Line

    Posted Oct 27, 2009 05:57 PM
    We will start to submit to Symantec however I am really surprised that we stand no chance with some of this stuff. If these users were admins the machines would have to have been wiped.


  • 6.  RE: Non Admin Spyware Crossing the Line

    Posted Oct 27, 2009 06:18 PM
     If the Malware has reached the kernel it hardly matters if its Limited user or Admin.
    However if its a Worm (that spreads across network) then admin priviledge would have come to play.

    the Underground economy relies more on these nowadays.The people who write these codes have become more smarter with the freely virus creation tools avialable ,sophisticated and professional.
    They write thousands of malwares daily wheres few years back they used to write 10-20 in a day.
    Its very tough time for Antivirus industry but they are still able to catch most of them if not all..




  • 7.  RE: Non Admin Spyware Crossing the Line

    Posted Oct 27, 2009 07:29 PM
    I've seen this behavior before as well, they'll use just about any vulnerability that exists in any of the software running on the system that has admin or system privilages.  If possible, look at limiting the ability of programs to run if they aren't in program files or the windows folder (or any others you need).  This will stop most of the crap from even having a chance.  You could do this with SEP or software restriction policies.


  • 8.  RE: Non Admin Spyware Crossing the Line

    Posted Oct 27, 2009 08:39 PM

    Thats a solid idea however there is a delicate balance between security and functionality. For now we are going to have to build defense in layers using- non admin, SEP, and Gateway AV. We use central patch management with WSUS for all of our customers. Adobe Acrobat, Flash and Java are three most common other applications that are very difficult to keep up to date. What is the risk if we cannot control the patching of these applications? They do not run with admin privlidges however I would like to get some feedback from you guys.



  • 9.  RE: Non Admin Spyware Crossing the Line

    Posted Oct 28, 2009 12:43 AM
     What pieces of SEP were on or enabled at the time of infection?

    IPS, Proactive Treat Protection, Trojan/Worm set to quarantine, and Bloodhound set to maximum are all things that I recommend to all SEP deployments on the client side.


  • 10.  RE: Non Admin Spyware Crossing the Line

    Posted Oct 28, 2009 06:03 AM
    We Are using AV and AS with Bloodhound at default. I am concerned about turning Bloodhound to Max causing compatablity issues with applications. I can try to raise Bloodhound to help us tighten down the detection of new threats. From what I understand on terminal servers we can only use AV and AS is this incorrect?


  • 11.  RE: Non Admin Spyware Crossing the Line

    Posted Nov 05, 2009 10:07 AM
    I want to know what is the advantage of 5002 version


  • 12.  RE: Non Admin Spyware Crossing the Line

    Posted Nov 05, 2009 10:52 AM
    You should try to make a new post on your subject. That way you are the thread owner and can do things like post logs pics ect. This also allows you to mark a thread as solved which is our way for future users to quickly sort through post and find their answer. If you post yours at the bottom of other unrelated threads it becomes very hard for future users (who might have the same question as you) to find their answer.

    Thanks for understanding,
    Grant