So, I've a potential malware infection on a host within my home LAN. It is a Windows 7 system. Before anyone ridicules the choice of Windows, let it be known that it is rather easy to secure a Windows system from a lot of malware. Really. And in my line of work, I've seen many non-Windows systems compromised, so my view is entirely different than the typical *nix zealots out there. If you aren't already aware, I tend to be highly objective when it comes to OS ideology. I'm not going to be open to discuss things if the first shared thought is, "why are you using Windows?" I'm not for the "down with the man" mentality.
Now, about this issue. Here are the current symptoms:
McAfee AV is installed. It was found to not be running when I first began to investigate. I reactivated it last night, did a quick scan (no issues detected) and then did a full scan (no issues detected).
I also ran MalwareBytes. It didn't find anything other than some cookies that it suggested to be removed (I removed them).
I also ran both AdAware and Spybot: Search and Destroy. Both found some spyware-related things that I removed. They didn't find anything with high severity.
I also ran the MS malicious software removal tool (it didn't detect any issues).
I did all this yesterday evening and finished around 8PM.
I also have Snort sniffing traffic on the LAN. It is detecting some rather weird traffic. It is seeing the Win7 system trying to communicate with a Linux host on port 137 (the Linux host is refusing the attempts). Also, if I do a tcpdump to see any traffic coming from the Win7 machine, I see the Win7 machine connecting to each Linux server on the LAN on port 80. What's odd about that is that it seems to have focused purely on the Linux machines, and each and every machine it connects to actually has Apache running. I've seen no service scans (or any other scans).
This morning, I decided to check the Snort logs and saw that the activity stopped occurring after my "fix" last night, but that it started up again at 2:44AM this morning. When I checked the Win7 host, McAfee wasn't running. I couldn't restart it (it was unresponsive). I did another MWB scan, which didn't detect anything. I checked the system logs and didn't see anything other than a lot of DNS errors (that may be indicative of anti-antivirus activity). I then went to the McAfee AV home page to get a status of my system and saw that the status was, "This device needs to be online to get the latest protection updates." Weird, especially since I've no indication that the system isn't online.
I decided to search the McAfee pages to see what solutions they offer (free solutions). Right off the bat, I saw that the only thing they offer is a $90 removal service...WTH. Their product let the machine get compromised, then they want to charge an additional $90 for removal (and no other free offerings). That seems hokey. I never had this problem with Norton/Symantec.
At this point, I'm probably going to reinstall the system with it's factory image. This is the first time in a very long time (I'm talking 10+ years) that I've had to reimage due to malware on a Window system. I've other systems in the house running Windows, and some have NO 3rd-party AV (my Alienware system is running Win8 and it's using Windows Defender without issue).
I'll keep this post updated with any other information I discover over the next few days.
UPDATE - I've found some free tools -- http://www.mcafee.com/us/downloads/free-tools/
UPDATE 2 - I've conducted some scans using the free tools and I'm still not able to find anything. I'm wondering if the activity I've observed is actually part of their host discovery toolset...that sorta makes sense. If only I could get some type of verification on this from a McAfee rep, or maybe find some document that describes how the host discovery system works and how it would look from a network security perspective. But all that still wouldn't explain why the AV keeps disabling in the middle of the night...
FINAL UPDATE - Issue resolved. After investigating further, I found that there was no infection. Two things were occurring: 1) I've found that the AV services appear to be polling for services (network discovery - Symantec/Norton has this feature as well), 2) the self-update process had hung, which was causing the AV shutdowns. Once I removed the existing version and got the latest, I found that there was a drastic difference between the two versions. As well, the account portal had changed. The fact that there was a major client upgrade may've broken communication with the account portal (that began working once I upgraded manually). When this subscription is up, I'll either use Windows Defender or use one of my existing Symantec licenses to install that AV onto the system...not liking the McAfee AV experience. :/
Showing posts with label AV. Show all posts
Showing posts with label AV. Show all posts
Thursday, June 20, 2013
Saturday, December 01, 2012
w32.changeup
I was at work this week and a teammate mentioned that w32.changeup might be a concern to our client base. We try to proactively alert our clients on what could affect them without needlessly spamming them (we try to weed through the hype as well). The vendors already have the technical write-ups, so I'll spare the readers my thoughts on that. But I will say that the worm was first discovered a year ago...it's an older worm but the new variants appear to be enhanced, and there's a large spike in infections across the world. As well, the worm is apparently difficult to remove if not using AV tools.
In my research, I discovered the following:
*Resources:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112709-5049-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112709-5049-99&om_rssid=sr-latestthreats30days
http://www.symantec.com/connect/blogs/w32changeup-worm-any-other-name
http://www.symantec.com/connect/blogs/w32changeup-threat-profile
https://kc.mcafee.com/corporate/index?page=content&id=KB76807
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1607456
In my research, I discovered the following:
- When using Symantec as a resource, it is difficult to determine which variant is being discussed, which leads to confusion and not being fully aware of possible impact. There are 32 variants of this worm and in most of Symantec's articles, knowledge-base entries, and blog/forum posts, the authors rarely mention the variants that could negatively affect users.
- As well, there aren't many other vendors that can detect and/or remove infections, so it is critical that rare resources be accurately documented (as much as possible, at least).
- I became curious if any other vendor could detect (and/or remove) the worm, but because I didn't know a common name for this worm that the industry was collectively using, it was difficult to find additional details. Finally, I stumbled across this: http://www.symantec.com/connect/blogs/w32changeup-worm-any-other-name, which is the Symantec Blog. It lists several vendor names of the worm. It is highly annoying that I had to visit Symantec's site to find what McAfee named the worm.
I hate researching worms and viruses because there's no real standards that the AV industry follows.
*Resources:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112709-5049-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112709-5049-99&om_rssid=sr-latestthreats30days
http://www.symantec.com/connect/blogs/w32changeup-worm-any-other-name
http://www.symantec.com/connect/blogs/w32changeup-threat-profile
https://kc.mcafee.com/corporate/index?page=content&id=KB76807
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1607456
Subscribe to:
Posts (Atom)