Endpoint Protection

 View Only
Expand all | Collapse all

Web Attack: Exploit Kit Variant Activity 3

  • 1.  Web Attack: Exploit Kit Variant Activity 3

    Posted May 13, 2011 11:31 AM

    This was blocked the other day while I was on the internet. I understand it is a critical attack but other than that I don't know what it is. What is it? I shut down my computer then ran a scan when i turned it back on. Is there any way to know if something has been done to your computer other than just running a scan?



  • 2.  RE: Web Attack: Exploit Kit Variant Activity 3

    Trusted Advisor
    Posted May 13, 2011 11:43 AM

    Hello,

    An attack signature is a unique arrangement of information that can be used to identify an attacker's attempt to exploit a known operating system or application vulnerability. When Intrusion Detection detects an attack signature, it displays a Security Alert.

     

    Web Attack: Exploit Kit Variant Activity 3
     
     
     
    Could you run a MBSA Tool and check if the OS is updated with Latest Service Pack and Security Patches?
     
    Download the same from: 
     
     
    Make sure you are up to date with the MS Patches and other vendors Products patches.


  • 3.  RE: Web Attack: Exploit Kit Variant Activity 3

    Posted May 13, 2011 11:44 AM

    1. Go to Safe-mode and run a full scan.

    2. Run the SEP support tool and select the Load Point Analysis check.

    Analyze the tool output for any suspicious files or processes.

    How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files

    http://bit.ly/ky0n2y



  • 4.  RE: Web Attack: Exploit Kit Variant Activity 3

    Posted May 13, 2011 05:25 PM

    I ran a full scan in safe mode and it didn't find anything other than a tracking cookie. After going back to normal mode the proactive threat protection was turned off (it wasn't like this before I left safe mode). It says the definitions are too old but whenever I try to update it doesn't take care of the problem. When I go into the proactive threat protection settings, the scan for keyloggers checkbox is unchecked and it says:

    "These settings are not supported on Windows Server operating systems, 64-bit Windows XP Professional of Windows 7"

    It was not like this before.

    I ran the SEP support tool and did the Load Point Analysis check. It didn't find anything other than say that the version of Symantec Endpoint Protection is not the latest version. I tried to re-install Endpoint but that did not resolve the issue.

    I fear that my computer has been compromised and that I'm not being allowed to use all of the features of your product. Do you have any suggestions?



  • 5.  RE: Web Attack: Exploit Kit Variant Activity 3

    Posted May 16, 2011 02:43 AM

    You will need to know the answers to the following questions:

    What were you doing when the alert went off?
    Were you browsing a website? was the computer idle?
    when you check the log, do you have a remote IP address? Have you google it and see if it hit anything?

    Most of this alert sometimes comes down when you visit a website [possibly legitimate] that is booby trapped with malicious content that exploits certain vulnerability.

    Ensuring your Adobe Flash Player , Adobe Acrobat reader , Java VM and web browser up to date are a few initial steps to do.

     

     

     



  • 6.  RE: Web Attack: Exploit Kit Variant Activity 3

    Posted May 16, 2011 05:27 AM

    Hi MonG,

     

    That alert was letting you know that an attack was successfully blocked.  More details about the originating IP address, etc, can be found in the logs.

     

    A great many threats in the wild today are built using certain attack kits that take advantage of known vulnerabilities. Here's a Symantec Security Response white paper on some of them:  Symantec Report on Attack Kits and Malicious Websites (http://www.symantec.com/about/news/release/article.jsp?prid=20110117_04)

     

    I recommend ensuring that your defences are at their highests possible level, all patches are applied, all users educated, and constant attention paid to security.  here's some additional best practices: http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&depthpath=0

     

    Hope this helps!

     

    Mick
     

     

     



  • 7.  RE: Web Attack: Exploit Kit Variant Activity 3

    Posted May 16, 2011 02:52 PM

    BNH,

    To answer those questions, I was browsing a trusted website which I have visited frequently with no attack signatures ever being detected. There was a flash application running at the time, so maybe it came through that.

    I googled the remote IP address (213.246.38.67) and the only thing I found associated with that IP address was a trojan known by McAfee as PWS-Zbot.gen.do!1785A76D0BB9.

    Is there a way to search for this trojan just in case it was attached to my computer.

     

    Mick2009,

    Thanks for the info. I always make it a point to keep everything up to date, but this will give me more ways to keep my computer safe.

    I ask the same question to you. Is there a way to look for this specific trojan? I'd feel pretty safe if I knew for sure that this was not on my computer.

     

    Thanks



  • 8.  RE: Web Attack: Exploit Kit Variant Activity 3

    Posted May 16, 2011 03:05 PM

    i would try running a scan with the SERT utility.

    How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions -

    http://bit.ly/SERTkb

     

    SERT video - http://bit.ly/SERTvideo

     

    Best,

    Thomas



  • 9.  RE: Web Attack: Exploit Kit Variant Activity 3

    Posted May 16, 2011 06:08 PM

    Hi Again Mon,

     

    Here's a page from another vendor on that threat name: http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=464338.  Judging by its unique hash value, it is 100% one that Symantec detects and remediates (we call it "Trojan.Gen").  If you did not pick up a detection for that with your scan, then you can rest assured that the IDS blocked it before anything malicious successfully got onto your machine.

     

    That is, of course, if that one threat was all that was actually on that website.... &: )  The status of many compromised sites changes constantly.

     

    If in any doubt, run the SEP Support Tool and have it check the computer's load points for anything suspicious.

     

    Thanks again,

     

    Mick



  • 10.  RE: Web Attack: Exploit Kit Variant Activity 3

    Posted May 17, 2011 01:55 PM

    Eevry time I'm ready to assume that nothing malicious was installed on my computer something esle pops up.

    Yesterday I received a message from Network Threat Protection saying:

    "NT Kernel System has changed since the last time you used it."

    The change is to C:\Windows\system32\ntoskrnl.exe. I got this message twice yesterday and when I checked the logs, one of the occurences was an incoming TCP and the other was an outgoing UDP. Both of the remote hosts displayed IP addresses that are on my home network. I have never seen this message before. Could there be a problem on the network?

    I ran the support tool again to check load points and again it doesn't come up with anything other than saying that I don't have the latest version.

    I was unable to download the SERT utility because it required a serial number which I don't have, and I'm unsure whether I can get one. The reason for this is because I'm a college student and my University is supplying SEP. I'm trying to communicate with the University's IT.



  • 11.  RE: Web Attack: Exploit Kit Variant Activity 3

    Posted May 17, 2011 04:06 PM

    Did you run Windows Update? If there were changes to that system file then I'd expect to see the message you see.

    sandra



  • 12.  RE: Web Attack: Exploit Kit Variant Activity 3

    Posted May 17, 2011 06:04 PM

    There was a windows update a few days ago and there was a flash update earlier that day.

    Either way I've never seen a message like that before, and I've been seeing odd behavior like this ever since I got that Exploit Kit message.