Solved

Keylog-Ultimate.dll Virus on Windows Server 2008 R2 SP1

Posted on 2012-04-06
7
1,064 Views
Last Modified: 2013-11-22
I am currently managing a SQL Server 2008 R2. I've installed programs such as McAfee Enterprise + AntiSpyware Enterprise 8.8, Kapersky TDSSKILLER and Malwarebytes 1.60.1.1000. These programs are scheduled to run/update everyday. In addition, we are using RDS w/ user CAL licensing which i hear is not secured, but we need it.

A few weeks ago, we encountered a type of malware called ransomware on our server and thought that I successfully removed it. Unfortunately that led to another issue, I noticed a Key logger program planted into my server that McAfee picked up. here is the log:

- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe      C:\Windows\AppCompat\KAward\rsasws.exe      Keylog-AwardKey (Virus)
- C:\Windows\Explorer.EXE      E:\decrypterpv\dc.exe      Ransom-BA (Trojan)
- C:\Users\sys\Desktop\Setup.exe      C:\ProgramData\uklpr\KLKlMon.dll      Keylog-Ultimate.dll (Virus)


The software ran another scan last night and picked up:

- 3:04:49 AM      Deleted       administrator      ODS(Full Scan)      c:\Documents and Settings\sys\Desktop\Setup.exe\9.nsis      Keylog-Ultimate.dll (Virus)
- 3:04:59 AM      Delete failed (Clean failed)       administrator      ODS(Full Scan)      c:\Users\sys\Desktop\Setup.exe\9.nsis      Keylog-Ultimate.dll (Virus)
- 4/6/2012      3:05:08 AM      Deleted (Clean failed)       administrator      ODS(Full Scan)      c:\Documents and Settings\sys\Downloads\KRyLack.Ultimate.Keylogger.Pro.v1.80.45-alzaeem2008.rar\SETUP.EXE\9.nsis      Keylog-Ultimate.dll (Virus)
- 4/6/2012      3:05:18 AM      Delete failed (Clean failed)       administrator      ODS(Full Scan)      c:\Users\sys\Downloads\KRyLack.Ultimate.Keylogger.Pro.v1.80.45-alzaeem2008.rar\SETUP.EXE\9.nsis      Keylog-Ultimate.dll (Virus)


How do I prevent this? are they getting in my network through a backdoor? does RDS play a big role in this case? is there another level of security I can implement? I'll appreciate your help!
0
Comment
Question by:vlsllp
7 Comments
 
LVL 12

Expert Comment

by:Grant1842
ID: 37817474
Please follow these instructions for removal.

http://www.uninstall-spyware.com/uninstallUltimateKeylogger.html
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 37820092
Is there a business reason why users that rdp into the server have administrative (install) privileges? Have you considered remote app for programs that need administrator privileges?  How about turning on internet explorer security for non-admins? How can you or your company justify the security risk presented that allowed this to happen in the first place. In many environments once something is discovered as compromised then the entire server is rebuilt as it can no longer be trusted.  
Don't create the mess then you don't have to clean up a mess.. Unfortunately you have to treat users like preschool children you have to monitor, and protect them from themselves
0
 

Assisted Solution

by:vlsllp
vlsllp earned 0 total points
ID: 37824081
ve3ofa, yes there are special reasons why we grant our users administrative privileges. Unfortunately we had to manually go into the folders and clean out key names that have "keyloggers" in them, in addition we removed this virus through the registry as well. The primary tools i used was Kapersky TDSSKILLER and Spybot. These 2 items assisted me in cleaning out unwanted items in our registry.

Would you recommend any other tools or best practices when monitoring RDS? IDS/IPS?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 15

Accepted Solution

by:
Russell_Venable earned 500 total points
ID: 37845588
Yes, Actually. Assuming you already removed "Ransom" from your system.  It would do you some good to make note of 3 aspects for prevention and recovery reasons.

1. Keep a Website History


Keep a good track of sites that are visited from your network external from the operating system(Hardware). Not only does it help to keep track of what websites that caused the infection, but also allows you to report the infection and warn others.

2. Avoid untrusted Online Antivirus scanning

Do not allow users to do a online antivirus scan, unless tasked and if that is the case set guidelines for them to follow. Let me be specific; "Randsomware" in your case hides itself as a online antivirus scan and asks the user to install a activex/java file, sometimes even a video codec slightly different situation. This allows the site to start its malicious adventure onto the victim's machine. It's also spreads on a automated basis from "Drive-By" websites hosting a exploit kit.

3. Network traffic analyzer

Use a Network traffic analyzer to monitor for abnormal traffic patterns.
When you ask for more tools are you referring to monitoring or removal?

Other then that I would just implement a user guideline system in the first place that teaches them how to avoid this in the first place.

References to read:
Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 37846768
ve3ofa, yes there are special reasons why we grant our users administrative privileges.

Then BACKUP, BACKUP, BACKUP,

7 Daily's, 4 weekly, 12 monthly, and 7 years annual.
0
 

Author Comment

by:vlsllp
ID: 37852078
thanks
0
 

Author Closing Comment

by:vlsllp
ID: 37875054
Thanks I will try that!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now