Veeam is happy to provide a free NFR license for one year. It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.
Solved
How to remove a Dubrute virus from Server
Posted on 2012-03-22
We have a Windows 2003 server (member server of a domain) that is used for terminal service connections (remote desktop). About once a week, the cable internet slow down to a crawl. We rebooted the server the first couple of weeks, but last week I was trying to figure out why it was slow before we rebooted it. I logged into it via remote desktop, looked at a few things like event viewer and Anti Virus status things then logged out of the remote desktop. When I logged out, I got a strange little window that said something to effect of dubrute.exe closing. It appeared as if my logging out forced this dubrute application to force itself to shutdown. When my session logged, out, the internet jumped back up to normal speeds and the remote users worked fine for a few days. Yesterday, the internet went back down to a crawl, and after I logged back into the server remotely again, the same thing happened when I logged out. The dbrute little window popped open and I clicked OK to close it (I presume) and the internet jumped back up to normal speeds.
I have AVG Server edition installed on this server, and while it has found problems in the past, all the scans I run on it now are clean. I ran malwarebytes as well, and that comes up clean. I have checked the startup services and startup apps in the MSCONFIG window, and nothing is out of the ordinary. I did a search in the registry for dubrute and nothing came up. I checked all installed applications in add/remove programs and everything looks normal in there. I checked the task manger yesterday when the internet was really slow and didn't see anything called dubrute running as a server. I am thinking about running combofix, but because this is a server, I am nervous about doing that. Any ideas???
I have AVG Server edition installed on this server, and while it has found problems in the past, all the scans I run on it now are clean. I ran malwarebytes as well, and that comes up clean. I have checked the startup services and startup apps in the MSCONFIG window, and nothing is out of the ordinary. I did a search in the registry for dubrute and nothing came up. I checked all installed applications in add/remove programs and everything looks normal in there. I checked the task manger yesterday when the internet was really slow and didn't see anything called dubrute running as a server. I am thinking about running combofix, but because this is a server, I am nervous about doing that. Any ideas???
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
3
2-
2
- +1
8 Comments
Yes. Rebuild the server. It's the only way to be 100% certain that the problem has been resolved. You cannot - cannot - trust any host once it has been compromised.
Please do not use ComboFix on any server platform. It is not designed for it and is not recommended.
Both RogueKiller and Malwarebytes are server safe and you should use them as described in these EE Articles:
Rogue-Killer-What-a-great-
Stop-the-Bleeding-First-Ai
DUBrute is fairly old (June 2010) so most tools can handle it properly. Here is a link to an EE solution for this problem from last year:
http://www.experts-exchange.com/Q_26979796.html
In the FWIW department - there are rare occasions that I am not able to be confident that a system has been thoroughly cleaned - 2 or 3 times a year out of a couple of hundred incidents.
A complete system rebuild is not sufficient to eliminate some malware variants and it is better to use the tools that can get the job done right.
As soon as you get the system running properly, please make sure that you run all patches/updates for the OS and all applications.
Both RogueKiller and Malwarebytes are server safe and you should use them as described in these EE Articles:
Rogue-Killer-What-a-great-
Stop-the-Bleeding-First-Ai
DUBrute is fairly old (June 2010) so most tools can handle it properly. Here is a link to an EE solution for this problem from last year:
http://www.experts-exchange.com/Q_26979796.html
In the FWIW department - there are rare occasions that I am not able to be confident that a system has been thoroughly cleaned - 2 or 3 times a year out of a couple of hundred incidents.
A complete system rebuild is not sufficient to eliminate some malware variants and it is better to use the tools that can get the job done right.
As soon as you get the system running properly, please make sure that you run all patches/updates for the OS and all applications.
Thanks for the advice. By the way younghv, I am curious how a system rebuild is not sufficient in eliminating problems? If you format the hard drive, or just put in a new hard drive (they are very cheap) how can that not get rid of a virus???
There are malware variants that infect the MBR, hidden partitions on the HDD, and even the BIOS ROM. A new hard drive would solve for the first two examples, but not for the third.
This is from an earlier post here on EE:
http://www.globalnet-iti.com/innovations/blog/1st-virus-that-infects-a-computer-s-bios-is-discovered/
Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giv[en] the fact that even if antivirus detect(s) and clean(s) the MBR infection,
This is from an earlier post here on EE:
http://www.globalnet-iti.com/innovations/blog/1st-virus-that-infects-a-computer-s-bios-is-discovered/
Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giv[en] the fact that even if antivirus detect(s) and clean(s) the MBR infection,
A complete system rebuild is not sufficient to eliminate some malware variants and it is better to use the tools that can get the job done right.
That's absolutly wrong. Furthermore, leaving a malware-infected production server connected to the network after "cleaning" the malware is in direct opposition to security best practices.
Not one of my corporate customers would stand for such a response. A once-compromised system is an unnaceptable risk to the entire organization.
BTW - there's un underlying root cause analysis that should be done any time a server is infected with malware. Are your server admins browsing the Internet from the server console with elevated privs? Either an unpatched vulnerability was exploited, or this is the result of poor practice. If you don't take the time to figure out - and correct - the root cause, you'll be doing this again... soon.
jbobst,
I stand by the comments I made and I think the link I provided (more if needed) is ample proof that there is existing malware that cannot be removed by formating/replacing a hard drive.
Malware discussions are often joined by those with differing opions, some more obnoxious than others.
I stand by the comments I made and I think the link I provided (more if needed) is ample proof that there is existing malware that cannot be removed by formating/replacing a hard drive.
Malware discussions are often joined by those with differing opions, some more obnoxious than others.
Another article on the function of the mebromi virus:http://www.symantec.com/connect/blogs/bios-threat-showing-again
This is a really good reason to set the write protection in your motherboards BIOS, and most boards have it.
Meanwhile, the environment you work in tends to shape the philosophy that you use.
In some cases, it can be better to simply re-image the system, especially where you have the resources to automate the task and all documentation to streamline the process. In a medium enterprise environment, I would tend to re-image the machine, but not before I determined the infection, and the source, if possible. Doing a procedure audit is a good move in larger environments as well.
In most cases, I prefer to clean the infection, as this is very expedient. Not all users or even companies have proper documentation and backups to rebuild the system, not all infections are actually difficult to remove, and only a few have residual infection potential.
Now, down to business, DUBrute is a hack tool, so it is possible that you have an interloper on your network. Simply cleaning the system in this case might not get you very much value, instead you might want to focus on entry vectors, and open ports that might not be needed. Checking router logs for suspicious traffic, or enhanced logging may help to pinpoint and block perpetrators.
Sophos anti-virus claims to be capable of removing this threat, and they are usually good at their word.
However, if it isn't showing up in programs or processes, it could reside on another system. I would look for listening ports that are not used for your installed apps, one article mentions port 3389.
This is a really good reason to set the write protection in your motherboards BIOS, and most boards have it.
Meanwhile, the environment you work in tends to shape the philosophy that you use.
In some cases, it can be better to simply re-image the system, especially where you have the resources to automate the task and all documentation to streamline the process. In a medium enterprise environment, I would tend to re-image the machine, but not before I determined the infection, and the source, if possible. Doing a procedure audit is a good move in larger environments as well.
In most cases, I prefer to clean the infection, as this is very expedient. Not all users or even companies have proper documentation and backups to rebuild the system, not all infections are actually difficult to remove, and only a few have residual infection potential.
Now, down to business, DUBrute is a hack tool, so it is possible that you have an interloper on your network. Simply cleaning the system in this case might not get you very much value, instead you might want to focus on entry vectors, and open ports that might not be needed. Checking router logs for suspicious traffic, or enhanced logging may help to pinpoint and block perpetrators.
Sophos anti-virus claims to be capable of removing this threat, and they are usually good at their word.
However, if it isn't showing up in programs or processes, it could reside on another system. I would look for listening ports that are not used for your installed apps, one article mentions port 3389.
Featured Post
We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP, Windows Server…
- Ransomware
- Experts Exchange
- Windows XP
- Windows OS
- Windows Server 2008
- Windows Server 2003, Security
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
- Anti-Virus Apps
- Ransomware
- The Email Laundry
- Email Servers
- Cybersecurity
- Microsoft Access, *malware
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email
Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses
Course of the Month11 days, 3 hours left to enroll
719 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.