Solved

Cannot Find Source of Virus Spreading on the Network

Posted on 2011-03-25
8
590 Views
Last Modified: 2013-11-22
Our network is currently infected with a Virus of some form that we have been unable to identify.  Even when we have imaged machines, the virus reappears on the machine soon after users go back to using the machine.

Most AV software does not even see a problem on the machines.  We believe it to be a Rootkit.

ComboFix seems to remove the infection, but does not tell us exactly what is happening.

What can we do on our network to find or track this activity?  Would packet captures help?
0
Comment
Question by:AutomatedIT
8 Comments
 
LVL 4

Assisted Solution

by:MaximumIQ
MaximumIQ earned 250 total points
ID: 35219514
Here are a few things to try

1. stick with one infected machine. keep trying different anti-virus programs until you find one that can remove it and tell you where all the infected files are, then post the results.

2. Identify shared network resources that can be replicating the infection. This can be a program that's executed directly from a shared path, shared documents, spreadsheets, etc.

3. Use Wireshark to capture network activity and analyze that for anything suspecious.

in most cases, viruses like this replicate through roaming profiles, more so if your users switch computers often or from running an infected network resource. the trick is to find an anti-virus that's aware of the virus and would notify you as soon as it tries executing.
0
 
LVL 11

Expert Comment

by:Patmac951
ID: 35219523
Have you checked the registry on the infected computers to see what runs during startup?

Run the regedit command and navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Make sure there are no strange entries that appear to be Random characters that are set to run during startup.  Secondly check the Task Manager for random Process names.  If you see anything strange or odd google it and you should be able to find out exactly what this virus is and how it spreads.
0
 
LVL 11

Expert Comment

by:Patmac951
ID: 35219540
Secondly also check the registry in this area in case the process is specific to the Current User and not the system

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 38

Expert Comment

by:younghv
ID: 35219843
We've had a couple of similiar question lately, that ended up being an infected router.
Review this information:
http://tidystorm.com/423/the-redirect-virus-was-in-my-router/

Give that a try and then use the information in these Articles to attack the malware in your workstations:

http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
0
 
LVL 1

Accepted Solution

by:
vagedis23 earned 250 total points
ID: 35219983
wat kind of problems are your users experiencing because of this virus.

- change the passwords of all accounts with administrator rights,
- do not use default or easy to guess passwords on any device e.g WIFI routers, switches,  
  printers etc etc
- do not allow anyone to connect USB stcks, ipods, smartphones etc. to any of the computers on
  your network.
- make sure users do not logon with administrative rights to their PC. 90 percent of all mallware
  cannot infect a pc if the user has no administrative rights.

To find the root cause:
- reinstall a computer that is not connected to any network, and install a free firewall such as zone-  alarm. Make sure it is set to block all traffic.
- make sure the passwords on this computer are not used on any other machine in your network.
- use an original cd to perform the instalation of the OS
- download zonealarm on a clean and trusted PC and save it on a new USB stick that has never
  been used before.
- update the reinstalled pc with all security fixes available on a trusted network. Update zone
  alarm too.
- connect the fully updated pc to the network with the virus problem.
- logon with a user that has no administrator rights.
- wait for zone alarm to show you popups about ip adresses that try to connect to the reinstalled
  pc.

When you recognize a computer or ip address that is trying to connect to your new clean pc, for no apparent reason, disconnect that computer from the network.
   
Download a bootable anti-virus cd, and boot the computer that tried to access the reinstalled pc from that cd. perform a full scan of the harddisk and see if any malware is found.

Sardu is a free tool that can download and create a bootable cd-dvd of several different AV companies. I usually use the Bitdefender or Kaspersky boot CD. You can find Sardu here ..
 
http://www.sarducd.it/

Zone alarm you can find here ..

http://www.zonealarm.com/security/en-us/anti-virus-spyware-free-download.htm

Good luck !
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35220878
Since ComboFix did remove the virus, the log should also show what files were deleted and the quarantine should also show what registry keys/values were deleted.

Could we look at the ComboFix log?

You could also get the files from the quarantine folder and upload it to jotti.org to have it scanned and find out the name of the virus.

As also suggested by younghv, could also be an infected router only IF you're using a default password.
0
 
LVL 1

Author Comment

by:AutomatedIT
ID: 35323646
Used WireShark rather than ZoneAlarm, but the result was pretty much the same.

Thanks!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
small, multi network, problem 3 38
Security Alert 2 45
cisco switch stacking 6 35
Slow internet - due to unknown uploads 9 59
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now