Solved

Investigate malware infection

Posted on 2010-09-14
16
1,118 Views
Last Modified: 2013-11-22
Hi,

I would like to further investigate a malware infection found on one of our machines and was hoping for some advice on how to best to about doing further investigation... (if for nothing more than my own curiosity)

 It was picked up by Symantec as 'Suspicious.IRCBot' living in the 'C:\WINDOWS\Temp' folder running as the user 'SYSTEM' and lists a long (TMP00000FC136........) file name.

How best to:
- Determine what originally caused the infection, along with (ball park) date of infection.
- Determine if this file is associated with a particular process or service.
- Determine the IP/hostname of the (presumably) IRC server it is attempting to communicate with (if at all).
- Any other info that could be interesting regarding the source or background of the infection.

Coincidently:
All efforts thus far to remove the malware have failed:
Disabling system restore, boot in safe mode, disk clean up, delete all temp files, scan with malware bytes, scan with symantec, scan with mse... (removing it is not important, will just rebuild - but just giving background of infection)

Side notes regarding machine:
Windows XP Pro - Domained
No important info on the machine
Currently quarantined (disconnected) from company network whilst investigating

Thanks in advance!
0
Comment
Question by:Roger Adams
  • 8
  • 6
  • 2
16 Comments
 
LVL 8

Expert Comment

by:tskelly082598
ID: 33674629
Check for email messages dated the same date. You can recover deleted messages from Outlook if necessary. Check eventvwr.msc for messages the same date.
0
 
LVL 8

Expert Comment

by:tskelly082598
ID: 33674633
That is, date of the TMP000 files.
0
 

Author Comment

by:Roger Adams
ID: 33674689
That makes sense, however I don't think thoseactual dates are relevant as the TMP000...... file keeps getting removed by the AV & 're-creating' itself... i.e. AV will scan, find the infected file & either quarantine or delete the file. But soon there will be a 'new' infected file with a slightly modified filename (still keeping close to TMP000xxxxxx)
0
 
LVL 8

Expert Comment

by:tskelly082598
ID: 33674901
Maybe HIJACKTHIS can identify the malicious files, and then you may be identify a folder with a date and time stamp that those files have been created in.
0
 
LVL 8

Expert Comment

by:tskelly082598
ID: 33675487
Download location for Hijackthis

http://free.antivirus.com/hijackthis/

Copy to a CD or thumb drive from another computer.
0
 

Author Comment

by:Roger Adams
ID: 33675730
Cheers, will do that 1st thing tomorrow morning & update...
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33680417
Hi,

Run "hijackthis"
Then upload your log to www.hijackthis.de to have the output analyzed
That'll maybe give you some directions

regards
0
 

Author Comment

by:Roger Adams
ID: 33680525
because the virus seemed to be 'regenerating' itself what I did was run hijackthis as soon as the machine booted, then run the AV scan & as soon as it picked up the malware in the TEMP folder I ran hijackthis again - looking for anomalies etc...

Nothing looks too much out of place, see v1 and v2 of hijackthis log attached...
hijackthis-local-admin-v1.txt
hijackthis-local-admin-v2.txt
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 7

Expert Comment

by:mchkorg
ID: 33681101
Just double-check C:\Program Files\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe and C:\Program Files\Hewlett-Packard\Embedded Security Software\ifxtcs.exe are really some part of an HP soft suite

And they recommend to delete some keys if you don't know the domain names:
HKLM\System\CCS\Services\Tcpip\Parameters: Domain = G3LAN.NET
HKLM\Software\..\Telephony: DomainName = G3LAN.NET
HKLM\System\CS1\Services\Tcpip\Parameters: Domain = G3LAN.NET

Did you try to run something like "spybot" (after you update its database)?
0
 

Author Comment

by:Roger Adams
ID: 33681557
ifxspmgt.exe and ifxtcs.exe:
These appear to be legitimate elements of   HP Embedded Security (after some Googling)

Domain entries:
Those are known & okay.

Malware bytes:
Ran in safe mode - nothing found.

Spybot search & destroy:
Ran in safe mode - nothing found.

Symantec AV:
Ran in normal mode - finds threat as stated above. See attached image. Every time it finds a file in the TEMP folder it is quarantined, few minutes later a new file is present.

Infected File content:
I disabled the AV to allow me some time to look inside the infected file (for what it`s worth). See text file attached.

Symantex have a page on this particular type of threat:
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011822-4456-99
This  gives nothing interesting other than mentioning that is not picked up  using traditional signature checking, but monitors behaviour: "This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers."

This is looking more & more like a botnet infection rather than a traditional virus or trojan.

What I`m going to do next:
Connect the machine to a standalone internet connection.
Disable the AV to allow the Malware to execute what it likes.
Monitor all traffic with Wireshark & investigate all unknown IP address`s it attempts to communicate with. (see if it calls home to any c&c servers etc)

symantec-threat-found.PNG
TMP000022633029B9BAFA0E01DD.txt
0
 

Author Comment

by:Roger Adams
ID: 33681650
just working through the contents of the infected file...
it bears references to a file called acregcrt.exe and company called ActivIDdentity...
Investigating that now...
0
 

Author Comment

by:Roger Adams
ID: 33682023
Okay... seems the 'infected files' relate to the ActivClient from company ActiveIDentity, which is part of HP`s security suite.

Satisfied that curiosity for now, going to rebuild & see if the app is part of the standard build.
0
 
LVL 8

Assisted Solution

by:tskelly082598
tskelly082598 earned 500 total points
ID: 33685507
Here is another program similar to Hijackthis at the Microsoft site that might provide some more insight.

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
0
 

Author Comment

by:Roger Adams
ID: 33685536
I managed to stumble onto that sysinternals tool earlier today whilst looks around, great tool! Thanks for the suggestion
0
 
LVL 8

Expert Comment

by:tskelly082598
ID: 33686110
Have you identified what files are associated with re-loading the TMP*.* files?
0
 

Accepted Solution

by:
Roger Adams earned 0 total points
ID: 33717641
the TMP files were being created by the application ActivClient, from company the ActiveIDentity, which is part of the HP standard build applications. Symantec appears to be picking up TMP files linked to this software as a false positive...

After a complete rebuild using recovery media, Symantec immediately detected the same 'infection' as before.

Here is the solution for removing (the' un-uninstallable') ActivClient - which resolves Symantec flagging it up...
http://forums.techguy.org/all-other-software/781811-getting-rid-activclient-un-uninstallable.html

(btw I did submit the infected files to Symantec for review... surprise: no feedback yet)

Thanks for your help all...
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now