Endpoint Protection

Hi ,

 

Greetings .

 

Its been sometime that we are seeing these activities in our Network. Suspicious traffic still remains unrecognizable.

Attached is the threat Analysis logs from 2 of the affected machines. We found IP : 104.238.165.200 mentioned there.

We did notice in mejority of the afffected ma chine , this alert triggered when they connected to VPN although there were users who reported no such significance .

Looking for suggestions .

 

Symantec Case number - 08666260 .

 

Symhelp doesn't show much. Is it only when connected to VPN?

Hello,

Check these links -

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28265

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=22980

It is good that you have involved SymantecTechnical Support by creating a case.

I would recommend you to -

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions.

2) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines.

3) Make sure ALL the client machines are using the Latest Vendor Patches installed.

You should also try to scan the system with a more aggressive scanner of ours:

Open SEP > Help and Support > Download Support Tool, launch it and execute a scan with the Power Eraser.

Again, if you find any suspicious activity OR Want to submit the suspicious files to the Security Response Team then, check this Article:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

We are not sure about it . I have got few users those got these alert when they were not connected to VPN. We do assume that the alert came up to SEPM when they got connected back to the network. Mejority of users that we noticed got these traffic notification when they connectd to the VPN.

 

About the "Fake Codec 7 Website " Malware authors often use social engineering techniques to trick users into downloading and installing malicious files. This technique involves presenting what looks like a video widget on a Web page. When an attempt is made to play the video, a message is displayed requesting that a codec, plug-in or update is required to be installed before the video can be viewed." "Newer generations of misleading applications may also cause instability on the computer such as moving files around, hiding them, or preventing access to certain resources. This is done to coerce the user into buying the fake software." ** We do not see any suspicious applications installed in the machine . Upon probing user did not mention visiting any of such website , Which was confirmed with browser history . No suspicious add-ons, startups. ** NPE advanced scan and reboot scan comes up with no detection , suggestions of installing the latest Java though. ** Yammer is a popular and allowed Social Networking site which had its Notifiers installed- again as per logs , this is not specific to Yammer installed machines. Environment Details: No. of Sep: 15000+ installed on Win 7, Win 8 , Win 8.1 and Windows Servers , Version 12.1.3 No. of SEPM: 4 (replicated) installed on Win server 2008, version 12.1.4MP1a Uploading some of the NTP logs from the affected machine and Today's NTP log of the UK Site . Expecting your Help-

These look to be legit alerts/intrusion attempts.

Hello,

Seems IPS has blocked legitimate intrusions.

I would suggest you to check if there are suspicious Browser add-ons installed.

Could you check the Virus Logs and Threat logs if Symantec has detected any threats?

If Yes, Turn on the Risk Tracer from the SEPM and get the details from Risk Logs. (Risk Logs could taken from SEPM and exported and Opened in Excel)

Here are the Links:

1) About Risk Tracer

http://www.symantec.com/docs/HOWTO27137

2) What is Risk Tracer?

http://www.symantec.com/docs/TECH102539

3) How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH94526

NOTE: For Risk Tracer to work Correctly, you would require Network Threat Protection Installed and Enabled on all machines.

Risk Tracer can be extremely useful in informing what computers to isolate and scan. For illustration, export a Log History Report from the SEPM and hide many of the columns that do not relate to Risk Tracer.

Example:
"Monitors Tab" on the left hand pane.
"Logs" on the tab menu (Top of Screen)
"Log Type:" Risk
Default Filter
"View Log" button
Export Search Results.
Import into Excel.
Results below.

Example of Risk Tracer
Event	Computer Name	Source	Source Computer Name	Source Computer IP
Virus Found	TEST-130	Auto-Protect scan	TEST-01	10.14.3.13
Virus Found	TEST-055	Auto-Protect scan	TEST-01	10.14.3.13
Virus Found	TEST-065	Auto-Protect scan	TEST-01	10.14.3.13

This log is indicating that TEST-01 at 10.14.3.13 should be isolated from the network and scanned. It is reportedly infecting other computers.

Please note that Risk Tracer relies upon very basic network awareness functionality. The computer name and IP that are listed were connecting to the SAV or SEP client at the time the infection was detected, but there may have been other connections as well. Symantec Technical Support recommends comparing the logs of several clients and noting which remote computer names and IPs keep coming up.

Hope that helps!!!

 

I would really like to thank Brian and Mithun for helping me out on this .

 

1). The machine that I examined so far : No Suspicious add-ons found.

2). We use Risk Tracer and use it every now and then . The recent report did not come with any such source detections.

Is there any possibility that this unrecognised traffic could be a result of any vulnerability ?

 

Any further suggestions ?

 

I can't find much of the contect about the SID - 28265 in Connect.

 

Thanks

 

The traffic is outbound over port 80. So either the user is intentionally browsing to a malicious site or the machine has some sort of malware on it....may be best to re-image.

Hello,

I agree. However, I believe this to be more than a vulnerability.

It seems the users have visited a website, where at first, the visitor is greeted with a message warning him on the fact that he needs to download a video codec in order to view the video from the page. The so-called codec, represented by a file called codec.exe actually installs a fake AV that keeps warning the user of factitious threats.

To remove the threats, the victim is required to activate the product or purchase a premium version, both variants requesting the user to pay a certain amount of money.

Internet users are advised to download codecs only from trusted locations and if still the video won’t work, it may indicate the presence of a malicious plot.

TRY using Power Eraser from Symhelp -

About Symantec Power Eraser

http://www.symantec.com/docs/TECH134803

Symantec Power Eraser using Symantec Help (SymHelp) Tool.

https://www-secure.symantec.com/connect/articles/symantec-power-eraser-using-symantec-help-symhelp-tool

Secondly, make sure you have uninstalled unwanted programs from the Programs and Features of the client machines.

Regards,

We might imagine the scenario where the very first interection would have got triggered from the user's side , following which the symptoms started appearing .

Now as this issue is not location based , we see this unidentified traffic in Polland, UK, India and number of affected machines goes upto 300+.

 

Re-imaging might not be a feasible solution .

We did not find any such installations on the affected machines. While we are examining more , I would update the findings .

Symantec Threat Analysis scan did not come up with any detections so far .

 I have attached today's NTP logs .

Any further suggestions or content reference might help.

This is new a Threat Analysis log that I have obtained of , along with the the suspected file .

No detections on Virus Total about this file :

https://www.virustotal.com/en/file/190c2602030bb6313917385ed7e3a4f7bc43d383afc4ac7e49d79dcfe95b85d3/analysis/1431012071/

 

Just out of the interest to find any common detections in  NTP and Risk log.

Findings in attachment :

Hello,

Could you please zip each of the files and submit the zip files (without password) to the Symantec Security Response Team on :

https://submit.symantec.com/websubmit/essential.cgi

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

Check these articles:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/docs/TECH98929

Here are some excellent suggestions on how to keep your computers, their users and data safe:

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Hope that helps!!

Its really strange to see that there are no responses here . Whether this thread does not have any visibility on Symantec connect?

I have also had this Fake Web Attack problem from IP address 104.238.165.200, and the only thing I have done recently is install the latest version of Java....

I have a company laptop so there is no question about having visited any dodgy websites.

Symantec, can you not investigate this issue with Oracle directly? (or at least trace where this address comes from to check whether it is legit or not.)

Thanks

 

 

... by the way, I am using Symantec Endpoint Protection version 12.1.3001.165.

Attached is the message I receive and the security log.... doing a back trace on the URLs in the security log, it appears the ddlsys.854.xyz URL addresses are associated with 104.238.165.200.vultr.com