[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Cannot Find Source of Virus Spreading on the Network

Posted on 2011-03-25
8
Medium Priority
?
619 Views
Last Modified: 2013-11-22
Our network is currently infected with a Virus of some form that we have been unable to identify.  Even when we have imaged machines, the virus reappears on the machine soon after users go back to using the machine.

Most AV software does not even see a problem on the machines.  We believe it to be a Rootkit.

ComboFix seems to remove the infection, but does not tell us exactly what is happening.

What can we do on our network to find or track this activity?  Would packet captures help?
0
Comment
Question by:AutomatedIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 4

Assisted Solution

by:MaximumIQ
MaximumIQ earned 1000 total points
ID: 35219514
Here are a few things to try

1. stick with one infected machine. keep trying different anti-virus programs until you find one that can remove it and tell you where all the infected files are, then post the results.

2. Identify shared network resources that can be replicating the infection. This can be a program that's executed directly from a shared path, shared documents, spreadsheets, etc.

3. Use Wireshark to capture network activity and analyze that for anything suspecious.

in most cases, viruses like this replicate through roaming profiles, more so if your users switch computers often or from running an infected network resource. the trick is to find an anti-virus that's aware of the virus and would notify you as soon as it tries executing.
0
 
LVL 11

Expert Comment

by:Patmac951
ID: 35219523
Have you checked the registry on the infected computers to see what runs during startup?

Run the regedit command and navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Make sure there are no strange entries that appear to be Random characters that are set to run during startup.  Secondly check the Task Manager for random Process names.  If you see anything strange or odd google it and you should be able to find out exactly what this virus is and how it spreads.
0
 
LVL 11

Expert Comment

by:Patmac951
ID: 35219540
Secondly also check the registry in this area in case the process is specific to the Current User and not the system

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 38

Expert Comment

by:younghv
ID: 35219843
We've had a couple of similiar question lately, that ended up being an infected router.
Review this information:
http://tidystorm.com/423/the-redirect-virus-was-in-my-router/

Give that a try and then use the information in these Articles to attack the malware in your workstations:

http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
0
 
LVL 1

Accepted Solution

by:
vagedis23 earned 1000 total points
ID: 35219983
wat kind of problems are your users experiencing because of this virus.

- change the passwords of all accounts with administrator rights,
- do not use default or easy to guess passwords on any device e.g WIFI routers, switches,  
  printers etc etc
- do not allow anyone to connect USB stcks, ipods, smartphones etc. to any of the computers on
  your network.
- make sure users do not logon with administrative rights to their PC. 90 percent of all mallware
  cannot infect a pc if the user has no administrative rights.

To find the root cause:
- reinstall a computer that is not connected to any network, and install a free firewall such as zone-  alarm. Make sure it is set to block all traffic.
- make sure the passwords on this computer are not used on any other machine in your network.
- use an original cd to perform the instalation of the OS
- download zonealarm on a clean and trusted PC and save it on a new USB stick that has never
  been used before.
- update the reinstalled pc with all security fixes available on a trusted network. Update zone
  alarm too.
- connect the fully updated pc to the network with the virus problem.
- logon with a user that has no administrator rights.
- wait for zone alarm to show you popups about ip adresses that try to connect to the reinstalled
  pc.

When you recognize a computer or ip address that is trying to connect to your new clean pc, for no apparent reason, disconnect that computer from the network.
   
Download a bootable anti-virus cd, and boot the computer that tried to access the reinstalled pc from that cd. perform a full scan of the harddisk and see if any malware is found.

Sardu is a free tool that can download and create a bootable cd-dvd of several different AV companies. I usually use the Bitdefender or Kaspersky boot CD. You can find Sardu here ..
 
http://www.sarducd.it/

Zone alarm you can find here ..

http://www.zonealarm.com/security/en-us/anti-virus-spyware-free-download.htm

Good luck !
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35220878
Since ComboFix did remove the virus, the log should also show what files were deleted and the quarantine should also show what registry keys/values were deleted.

Could we look at the ComboFix log?

You could also get the files from the quarantine folder and upload it to jotti.org to have it scanned and find out the name of the virus.

As also suggested by younghv, could also be an infected router only IF you're using a default password.
0
 
LVL 1

Author Comment

by:AutomatedIT
ID: 35323646
Used WireShark rather than ZoneAlarm, but the result was pretty much the same.

Thanks!
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question