Solved

Virus or someone just after me... Paranoya issue?

Posted on 2007-11-23
7
435 Views
Last Modified: 2013-11-22
I have a question which I think doesn't fit into any category. I'm new in the office where I work in now. The first week when I came to substitute the previous network admin was terrible. For some reason computers in the office (3 networks) where infected by virus. I had to walk around the office (> 100 pcs) and clean them up, install antispyware and windows updates. Th second month I've implemented WSUS and installed the deployed latest version of CA antivirus. I've been keeping an eye on regular apdates of computers on the network and everything was fine until today. One of pcs didn't have updated antivirus and started to send smtp requests, spam messages I believe, because we where blocked by spamcop.
The whole office wasn't able to send any emails externally of our office. All email where returning back with ndr saying that spamcop blocked our IP. I did my best, I found pc that was sending the report, I've closed smtp ports on ISA since we use only Exchange.
Now seems we are unblocked and email is fine...
Just trying to share with you. How comes that this office have never had any problems before me and when I came so many problems occured just like that?
I know there's no my fault, but users think it's my fault. I don't get any help or support from other two IT guys. One of them is a technician, another keeps resolving problems with Navision. I do the rest...
All office personnel was thinking that it's my fault that email was blocked for the day.
So frustrated. My first project which is about to fail...
Sorry.. It's not a question or anything, just sharing. Hope I won't be banned for this post. PLease, delete it if it's out of this site scope...
0
Comment
Question by:Zaurb
7 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20341189
All manner of possibilties.

1. the fact that you have had to get all the updates sorted yourself suggest that the site was a problem waiting to happen anyway. This could be down to just your bad luck/co-incidence.

2. If you are having to amend the ISA rules in such a way then that is purely bad configuration that you have inherited. ISA configurations start with most protocols open for all users through all ports but then get closed down to specific ports from specific machines for specific groups/users/services.

3. Sounds like your predecessor may have left the odd 'present' on the environment to either catch you out/show you up or cause troubles for the company 9rather than just for you). Not sure what version of ISA you are running but assuming it is a supported version (2004/2006) then would be worthwhile opening the isa gui, select monitoring-logging-click start query and watching the inbound/outbound traffic flows for a while just in case something has been amended/tampered with.

4. I'd also check your user accounts - especially if you provide remote access to the system. Any accounts that don't match the current userbase? Check the ISA gui in the firewall policy for the published servers - especially any rdp/vpn entries. Review any source IP's that you don't recognise.

Sounds like the site was in sh*t order and you are sorting it out. The new kid on the block is always the one to get the blame when things happen unexpectedly. Change the tack from being defensive to being positive. Document nthe state of things you have found without mud-throwing, then detail the things you are dealing to ensure they are corrected. All anyone can do.

Keith
0
 
LVL 10

Expert Comment

by:effx
ID: 20341211
Ok i have this virus/spambot/spam relay on my computer there are no spyware/virus updates for this virus/root kit i have disabled it by blocking its output port, I have scanned my computer with over 50+ scanners, only one of them detected that there was a problem but could not fix it.

To find a solution i used wireshark to find all the network traffic, I found that this virus/root kit does this process :

It connects to these addresses
http://208.72.169.22:4099/g/714A79-7A5423-DB00D2 or http://208.72.168.250:4099
Downloads a zip file which contains :

      000_data22
      001_ncommall
      002_senderna
      003_sendersu
      config
      message
      mlist
      mxdata

Once this file is downloaded it reads the files in the correct order eg. 000, 001, 002, 003, config, message, mlist, msdata

From what i could deduce from this virus/root kit is that this turns one of your computers into a spam relayer thus making your public fixed IP address a spammer and stopping your outgoing mail by companies that monitor for spam, once contained you should notify the people that you have found and contained the spamming virus and they should remove you from the list.

The way I containd this virus/root kit was to block the port 4099 on my router to the public port, this seems to disable the virus, now all we need to do is hope that one of those amazing virus companies get an updat that removes this virus, In the mean time i will be writing my own antivirus and if i removes the virus i will post a removal link.

Another point this virus/rootkit hides itself from windows by faking responses from the CPU when accessing the the files system.

The semi-solution to this is to block the port that the virus recieves its data on, use wireshark to find this, run wireshark before you start the computer you think has the infection, then start it, as soon as the system detects internet connection it will do what looks like an normal web connect but on a strange port, or even port 80, and straight after that it will start sending spam out on the smtp port, at this point switch the computer off that is infected, scroll through all the logs that you got from wireshark and just befor and smtp data there is your port and address where the virus/rootkit downloads from.

Block the download port this will stop the virus/rootkit.

I how this clarifies some stuff for you.

Method of infection i have found is buffer overflow installation - but dont quote me on that.

EFFX.
0
 
LVL 10

Expert Comment

by:effx
ID: 20341223
as for the site, not a nice setup. i know i just got a 1000 computer site and a week of being there things have started to happen, but i dont think its as bad as yours. If the problem does not get resolved i would re image the computer that is infected. :-)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:Zaurb
ID: 20341394
i had only three pcs which i have had to reinstall & re-format when we've started having troubles with spamcop. My boss told me that it's not a nice start...

0
 
LVL 6

Accepted Solution

by:
rbkumaran earned 20 total points
ID: 20342143
With 100 + computers in the network, why would every PC in th network be allowed to SMTP on port 25? That in itself is asking for trouble.

An ideal solution would be to use a mail gateway so any SMTP to the internet is only allowed from that gateway. Also, all open (OUT) is again not the best way to secure network. Allow access on only required ports, set an internal policy and any exceptions to the existing rules be done on a request/approval basis.

If I were you, I would use this issue to my advantage to take control of IT chaos and revamp wherever necesssary
0
 
LVL 10

Expert Comment

by:effx
ID: 20343345
I agree with rbkumaran, You have found the problem not created it. Explain that you are endevoring to rectify the problem and tidy the network up, you will come out of this smelling of roses if you fix all the problems.

Make all internet communication go through a proxy this way you can control all the internet transmissions, make sure your proxy has an SPI firewall on it too. Ensure you close all ports except the required ports, use authentication on your proxy too this way you can log transmissions to single users.

There are software solutions to proxies and also hardware solutions.

For software you could use something like WinGate

For Hardware you could use anything from a Belkin Router (Eugh) upto a dedicated PIX firewall.

The choice is yours show managment the problems then explain what you are going to do and prove that you are 10x better than the last guy.

EFFX
0
 
LVL 1

Author Closing Comment

by:Zaurb
ID: 31410722
Thank you very much! I followed your advice and it really helped me! Thanks!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now