• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 499
  • Last Modified:

Trace infected machine on network. Beagle virus.

It appears that we have a machine on our network that is infected with the beagle virus.  We believe this because our T1 provider is sending us emails stating that emails are being sent out from one of our external IP's that contain the beagle virus.  We have also gotten bouce backs from companies that no one here has sent emails to, and those emails contained the beagle virus.  We have Symantec AV running on all of the machines, but we have no scheduled scans set up on them as of yet.  And since we are running the SP2 firewall, we can't gain access to the local symantec remotely.  The IP address that these are getting sent out with is consistent with the one that our regular traffic uses, not the IP of our exchange server.  So, is there a way that we can track this computer down?  Thanks for the help.  Let me know if you need any more information.
0
nextnet
Asked:
nextnet
  • 3
  • 2
  • 2
2 Solutions
 
Yancey LandrumTechnical Team LeadCommented:
You didn't mention how many computers you have so this may be extremely tedious. Depending on which variant it is, you can use tasklist to remotely find which machine is running the process; for example, in one variant the executable is simply called BBEAGLE.EXE:

tasklist /s MACHINENAME /fi "imagename eq BBEAGLE.EXE"

That could be tricky since there are many variants of beagle, each one running under a different process name (in fact, one of them is a dll that injects itself into Explorer.exe!).

Also, one of the "features" of the Beagle family is that they can shut off AV software; you could use this same method to find a machine that is NOT running NAV. I'm assuming you don't have the enterprise version of NAV or the System Center Console so you can't initiate a scan that way.

You can also shut off the SP2 firewall service remotely so you can initiate full scans. Use Computer Management, or with psexec from sysinternals. Get it here:

http://www.sysinternals.com/ntw2k/freeware/psexec.shtml

It's just an executable; no installation is necessary. Once you have it copied to your executable path, enter:

psexec \\machinename net stop "windows firewall/Internet Connection Sharing (ics)"

That will run the Net Stop command on the remote machine. Then you can get in there and see what's up.

0
 
Rich RumbleSecurity SamuraiCommented:
Yes, the first thing to do is to turn off the xp firewall's, this can be done in your AD policies much easier
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngwfw.mspx
With a GroupPolicy you can also set the firewall up in such a way that you can remotely administer the machines, and don't necessarily have to turn the firewall completely off.
or
To use built-in commands you can do the following (requires admin rights)
netsh firewall set opmode mode = disable   (you can also use enable to turn it back on)

here are some scripts to help administer the xp firewall, they also require admin rights to be effective
http://www.microsoft.com/technet/scriptcenter/scripts/network/firewall/default.mspx

OR have your users run the program here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html (and the fix afterward http://securityresponse.symantec.com/avcenter/FxBeagle.exe )
This should detect all the beagle variants. Now before you remove any viri or even spyware for that matter, with XP machine SYSTEM RESTORE MUST BE OFF FIRST
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
http://support.microsoft.com/kb/q263455/

Another effective tool, just incase it's not beagle, but a virus similar, try McAfee's Stinger: http://vil.nai.com/vil/stinger/
Remember, system restore must be Off BEFORE removing the viri. Get those updates and scans scheduled!
-rich


0
 
nextnetAuthor Commented:
We have around 120 users and we do have enterprise edition.  I have already made a GP to open up the specific ports and programs on the XP firewall.  I have also created a group now in symantec that will be scanning our computers nightly.  Hopefully that will show something.  Searching computer by computer for the BBeagle.exe probably isn't going to happen unless we have exhausted other faster options.  Updates are already scheduled so that shouldn't be a problem.  Thanks for the input.  Is there any way of monitoring the network traffic to see who is sending these emails out?  It seems to be a rather constant thing.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Rich RumbleSecurity SamuraiCommented:
Yes if you set up Snort, or another IDS system and have a signature for it. You could also just use ethereal and a spanned port to find it, as setting up snort can take quite some time.

If you have cisco switches this is the command on the catalyst series for spanning a port (also known as port mirroring)
set span 3/24 4/45
blade 3 port 24 would be the source port, where your firewall or router plugs in, and blade 4 port 45 would be the spot you have the sniffer plugged into. (just an example)
So every packet that is sent to/from port 3/24 is mirrored and also sent to port 4/45 so you can see what coomputer is sending what and where.
You'd fire up ethereal, and look for unauthorized useage of port 25 as a destination.

To make it easier to look for, use the following as your captrure filter

dst port 25 ! host 1.2.3.4
This capture filter says, look for packets that have a destination port of 25, but NOT from this host 1.2.3.4-- replace 1.2.3.4 with the ip of your mail server, this should cut down on false positives, or ignore your mail server ip's and just look for who is sending to   dst port 25   only.
dst port 25

Here is a capture filter tutorial:
*******************************************************************

Here are some different capture filters- THE EXAMPLES PROBABLY HELP MORE
RULE                          EXAMPLE  /  SYNTAX HELP
host host            host is either the ip address or host name "host FRED" is the same as "host 10.0.0.21"
src host host              Capture all packets where host is the source "src host FRED is the same as src host 10.0.0.21"
dst host host            Capture all packets where host is the destination
Examples:
host 10.10.10.10                   Capture all packets to and from 10.10.10.10
src host 10.10.10.10                   Capture all packets where 10.10.10.10 is the source
dst host 10.10.10.10                   Capture all packets where 10.10.10.10 is the destination
--------------------------------------------------
Port filtering:
Syntax Description
port port                         Capture all packets where port is either the source or destination  
src port port                         Capture all packets where port is the source port
dst port port                         Capture all packets where port is the destination port
Examples:
port 80                         Capture all packets where 80 is either the source or destination port
src port 80                         Capture all packets where 80 is the source port
dst port 80                         Capture all packets where 80 is the destination port
--------------------------------------------------
Network filtering:
Syntax Description
net net                         Capture all packets to/from net
src net net                         Capture all packets where net is the source
dst net net                         Capture all packets where net is the destination
Examples:
net 192.168                         Capture all packets where the network is 192.168.0.0
src net 192.168                   Capture all packets where the 192.168.0.0 network is the source
dst net 192.168                   Capture all packets where the 192.168.0.0 network is the destination
--------------------------------------------------
Protocol Based Filters
Ethernet Based:
Syntax Description
ether proto \[primitive name]
Examples:       
ether proto \ip or just ip             Capture all ip packets
ether proto \arp or just arp             Capture all address resolution protocol packets
ether proto \rarp or just rarp             Capture all reverse arp packets
--------------------------------------------------
IP Based:
Syntax Description
ip proto \[primitive name]
Examples:
ip proto \tcp or just tcp             Capture all TCP segments (packets)
ip proto \udp or just udp             Capture all UDP packets
ip proto \icmp or just icmp             Capture all ICMP packets
--------------------------------------------------
Combining Primitive Expressions
You may combine primitive expressions using the following:
Negation: ! or not
Concatenation: && or and
Alternation: || or or
Examples:
host 10.10.10.10 && ! net 192.168       Capture all packets to/from 10.10.10.10 that are not to/from 192.168.0.0
host 10.10.10.10 && port 80             Capture all packets to/from 10.10.10.10 and are sourced/destined on 80
Remember you can filter with "NOT" as well.
port 4444 or port 69 and not port 1433 and not port 1159

tcp port 4444 ! port 135 (capture all traffic with 4444 in the dest/src and not going to port 135 udp or tcp)
-rich
0
 
nextnetAuthor Commented:
I split the points.  The virus actually started sending emails internally, so we where able to look at the header and it contained the IP address of the infected computer.  I will give that port mirroring a try for future issues.  Thanks.
0
 
Yancey LandrumTechnical Team LeadCommented:
Ah; didn't know you were on AD. Yeah; 120 machines would make it a bit tedious, especially since you don't yet know which variant it is. Well, hopefully the full scan will catch it, unless it has disabled the AV software.

Ethereal (http://www.ethereal.com) is a free, open-source packet sniffer that you can use to see (among many other things) which machine is sending out tons of SMTP traffic. You'll need to place the network interface of whatever machine you deisgnate as the sniffer into promiscuous mode so it will see all traffic (not just broadcast and multicast traffic).

If you have a switched network (and who doesn't these days), you'll need to setup a way to sniff unicast packets. Some switches can replicate all traffic on all ports to a single port so you can plug your analyzer into that port to sniff your entire network. Check the documentation for your switch to see if this is possible with your equipment (most Cisco switches support this).

Or, if you have one around, you can stick a regular (non-switched) hub between your network firewall and internet gateway; then plug your sniffer machine into that.




0
 
Yancey LandrumTechnical Team LeadCommented:
Oops; that's what I get for not refreshing a page before hitting submit...

0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now