Solved

Cannot Find Source of Virus Spreading on the Network

Posted on 2011-03-25
8
596 Views
Last Modified: 2013-11-22
Our network is currently infected with a Virus of some form that we have been unable to identify.  Even when we have imaged machines, the virus reappears on the machine soon after users go back to using the machine.

Most AV software does not even see a problem on the machines.  We believe it to be a Rootkit.

ComboFix seems to remove the infection, but does not tell us exactly what is happening.

What can we do on our network to find or track this activity?  Would packet captures help?
0
Comment
Question by:AutomatedIT
8 Comments
 
LVL 4

Assisted Solution

by:MaximumIQ
MaximumIQ earned 250 total points
ID: 35219514
Here are a few things to try

1. stick with one infected machine. keep trying different anti-virus programs until you find one that can remove it and tell you where all the infected files are, then post the results.

2. Identify shared network resources that can be replicating the infection. This can be a program that's executed directly from a shared path, shared documents, spreadsheets, etc.

3. Use Wireshark to capture network activity and analyze that for anything suspecious.

in most cases, viruses like this replicate through roaming profiles, more so if your users switch computers often or from running an infected network resource. the trick is to find an anti-virus that's aware of the virus and would notify you as soon as it tries executing.
0
 
LVL 11

Expert Comment

by:Patmac951
ID: 35219523
Have you checked the registry on the infected computers to see what runs during startup?

Run the regedit command and navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Make sure there are no strange entries that appear to be Random characters that are set to run during startup.  Secondly check the Task Manager for random Process names.  If you see anything strange or odd google it and you should be able to find out exactly what this virus is and how it spreads.
0
 
LVL 11

Expert Comment

by:Patmac951
ID: 35219540
Secondly also check the registry in this area in case the process is specific to the Current User and not the system

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 38

Expert Comment

by:younghv
ID: 35219843
We've had a couple of similiar question lately, that ended up being an infected router.
Review this information:
http://tidystorm.com/423/the-redirect-virus-was-in-my-router/

Give that a try and then use the information in these Articles to attack the malware in your workstations:

http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
0
 
LVL 1

Accepted Solution

by:
vagedis23 earned 250 total points
ID: 35219983
wat kind of problems are your users experiencing because of this virus.

- change the passwords of all accounts with administrator rights,
- do not use default or easy to guess passwords on any device e.g WIFI routers, switches,  
  printers etc etc
- do not allow anyone to connect USB stcks, ipods, smartphones etc. to any of the computers on
  your network.
- make sure users do not logon with administrative rights to their PC. 90 percent of all mallware
  cannot infect a pc if the user has no administrative rights.

To find the root cause:
- reinstall a computer that is not connected to any network, and install a free firewall such as zone-  alarm. Make sure it is set to block all traffic.
- make sure the passwords on this computer are not used on any other machine in your network.
- use an original cd to perform the instalation of the OS
- download zonealarm on a clean and trusted PC and save it on a new USB stick that has never
  been used before.
- update the reinstalled pc with all security fixes available on a trusted network. Update zone
  alarm too.
- connect the fully updated pc to the network with the virus problem.
- logon with a user that has no administrator rights.
- wait for zone alarm to show you popups about ip adresses that try to connect to the reinstalled
  pc.

When you recognize a computer or ip address that is trying to connect to your new clean pc, for no apparent reason, disconnect that computer from the network.
   
Download a bootable anti-virus cd, and boot the computer that tried to access the reinstalled pc from that cd. perform a full scan of the harddisk and see if any malware is found.

Sardu is a free tool that can download and create a bootable cd-dvd of several different AV companies. I usually use the Bitdefender or Kaspersky boot CD. You can find Sardu here ..
 
http://www.sarducd.it/

Zone alarm you can find here ..

http://www.zonealarm.com/security/en-us/anti-virus-spyware-free-download.htm

Good luck !
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35220878
Since ComboFix did remove the virus, the log should also show what files were deleted and the quarantine should also show what registry keys/values were deleted.

Could we look at the ComboFix log?

You could also get the files from the quarantine folder and upload it to jotti.org to have it scanned and find out the name of the virus.

As also suggested by younghv, could also be an infected router only IF you're using a default password.
0
 
LVL 1

Author Comment

by:AutomatedIT
ID: 35323646
Used WireShark rather than ZoneAlarm, but the result was pretty much the same.

Thanks!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SD - WAN 2 41
Sonicwall TZ 205- Dropping Incoming E-mail as IP Spoof 13 87
Suggestions for hosted VOIP 5 43
SOFS cluser offline 3 39
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now