Trojan

I have read below article.

So if this trojan is very hard to detect actually it can run in my company and  I will never know. Any guides ?


http://thehackernews.com/2017/03/github-email-scam.html
yodaaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
These questions keep coming up.

1. You need TOP NOTCH, and BEST Spam Filtering. This is essential.

2. Train your users not to open emails from strangers. Delete these.

This is your best defense.  I see this crap in my email spam quarantine, so the email approach is prevalent.
1
btanExec ConsultantCommented:
Advocate hardening of machine via
- application whitelisting to disallow running of macro and powershell, avoid enabling any unnecessary active script
- avoid having running unwanted programs, also referred as “PUP” (Potentially Unwanted Programs) to intentionally slow down your computer.
- update IPS and AV signature minimally this sample is detected.
- check on DNS requested server IP address that can be blacklisted or ill reputed. There is DNS aware firewall
- check for outbound HTTP POST requests to another Google domain, gmail[.]com or similar which can have the data size large to indicate likely leakage
1) How did Troj/Dimnie-A get on my Computer?
Troj/Dimnie-A can gain entry onto your computer in several ways. Some of the common methods of Troj/Dimnie-A infection include:
Downloads from questionable websites
Infected email attachments
External media, such as pen drive, DVD, and memory card already infected with Troj/Dimnie-A
Fake updates that trick you installing them
Programs posing as fake virus removal tools
Infected documents circulating on peer-to-peer (P2P) file sharing networks, torrent sites, and IRC channels

2) Symptoms of Troj/Dimnie-A Infection
The primary symptoms of Troj/Dimnie-A infections are:
Computer behaving unpredictably
Unexpected operating system error messages
Blue screen errors in Windows
Sluggish computer performance
Programs stop responding and show “Not Responding” error messages
New files getting created at the root-level of a hard drive
Spam messages unknowingly being sent from your email account
Mysterious files and folder deletions

3) Removing Troj/Dimnie-A from your Computer
To get rid of Troj/Dimnie-A from your computer, perform the following steps:
Use an anti-malware program
Clean your Windows Registry
1
Shaun VermaakTechnical Specialist/DeveloperCommented:
Top of the list is over-permissioning of users both locally (local administrators) and on network resources (full rights on all company files of shared drive for example)
1
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

masnrockCommented:
You want to look at IOCs. I recently added a long list of domains known to be related to this. If you block those, then you can at least be sure systems are not contacting the C&C domains.

http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/?adbsc=social71113356&adbid=846693442872786944&adbpl=tw&adbpr=4487645412

However, I cannot stress enough that policy and education are key in this. Technology will help to an extent, but you also need to be sure that you're properly doing user awareness training. Users are the last line of defense. They need to know to at least report when they mess up (let's be honest, nobody is perfect), but just as importantly they need to be able to identify signs of suspicious emails.
1
yodaaAuthor Commented:
Hi Guys,

Thank you for the info.

Do you know good links or the best practice for  user awareness training ?
0
masnrockCommented:
This is a non-exhaustive list, as there are a ridiculous number of options out there...
SANS Institute
Wombat Security

KnowBe4 has a free phishing simulator test for up to 100 users: https://www.knowbe4.com/phishing-security-test-offer

Then you even have a number of vendors that offer the ability to user a library of training material that can be customized in some ways, such as MediaPro.
0
yodaaAuthor Commented:
2) Symptoms of Troj/Dimnie-A Infection
The primary symptoms of Troj/Dimnie-A infections are:
Computer behaving unpredictably - someties windows 10 behaving unpredictably
Unexpected operating system error messages - hmm
Blue screen errors in Windows - Sometimes this happen on few machines
Sluggish computer performance
Programs stop responding and show “Not Responding” error messages - this sometimes can happen in widnows 10, expecially excel files
New files getting created at the root-level of a hard drive - what do you mean by that  ?  where should I check it?
Spam messages unknowingly being sent from your email account - twice happen to one of the user but I checked IP in exchange and it was sent from different IP location etc. so I think it was spoofing email.
Mysterious files and folder deletions
0
yodaaAuthor Commented:
1. You need TOP NOTCH, and BEST Spam Filtering. This is essential.
We have default spam filtering system from exchange also we have ATP.

2. Train your users not to open emails from strangers. Delete these.  
Actually they are good with this.
0
yodaaAuthor Commented:
Sorry for my English.  
* Sometimes this happened on few machines
0
JohnBusiness Consultant (Owner)Commented:
I normally use a good third party spam filtering system and not rely upon Exchange. Ipswitch (.com) has a good spam filtering system. Barracuda is also decent.
1
masnrockCommented:
New files getting created at the root-level of a hard drive - what do you mean by that  ?  where should I check it?
Check for strange files on the C drive, in the Windows folder, or even in the Windows system folders. I know, it's easier said than done.

It sounds like you have some system items to be checked, but it may not necessarily be Dimnie that is the cause.

What do your security policies, including patch cycles, look like today? Also, what type of training do you presently do?
1
yodaaAuthor Commented:
We have few security layers  

  1. Firewall
  2. All no needed ports are closed.
  3. Default Spam/malware filters in Exchange plus ATP. https://products.office.com/en-ie/exchange/online-email-threat-protection
  4. Trend Micro for business on all WKS and servers with console management.
  5. Another endpoint on each WKS and Server from Malwarebytes  with the management console https://www.malwarebytes.com/business/endpointsecurity/ 
Everything is up to date- Flash, java, OS, Adobe, Chrome etc.
0
JohnBusiness Consultant (Owner)Commented:
If you have all that in place with good training, then you really should be fine.
1
yodaaAuthor Commented:
John,

We do training every 6 month.  But now I am planning to do  IT training every 2 months
0
btanExec ConsultantCommented:
Turn on your Applocker if running Windows. You only allow certain application to run and that restrict the couple of exposure that leads to infection with running of unauthorised application.

Removing admin rights for user also augment such that exploitation still requires infection to escalate its privileges though it may be non trivial.

Keep your patch and signature to latest for your HIPS and OS. Also consider anti ransomware like from malware bytes or Winpatrol AntiRansom.
0
Natty GregIn Theory (IT)Commented:
ask your users if they open up their doors to a complete stranger at 2 am in the morning. I'm sure they would say NO, so why would you open an email, or document from someone you do not know.

1. Good UTM
2. Firewall
3. Antivirus on every computer
4. Limited access to resources
5. Central management of antivirus so you can scan each computer on the network, while the users work
6. User has no rights to install anything --- I know tedious but if they can install anything chances are Trojan or viruses can not be executed
7. once a month 15 minutes meeting on reminding users of how phishing works, what to do when on line
8. lockout policy for infected computers
9. Education
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yodaaAuthor Commented:
We have windows 10 pro so we cannot use Applocker.

Staff dont have admin rights  locally or network. Only IT admin have this privileges.
0
yodaaAuthor Commented:
1. Good UTM - In place
2. Firewall - In place
3. Antivirus on every computer - In place
4. Limited access to resources - in place
5. Central management of antivirus so you can scan each computer on the network, while the users work - In place
6. User has no rights to install anything --- I know tedious but if they can install anything chances are Trojan or viruses can not be executed- In place
7. once a month 15 minutes meeting on reminding users of how phishing works, what to do when on line - I am planning to do this every 2 months now.
8. lockout policy for infected computers - What do you mean by that?
9. Education-  I send email to staff ever time when there is a new malware, campaigns etc.
0
btanExec ConsultantCommented:
Disable use of macro and active script from office and browser.
There is Cryptoprevent that doe whitelisting which you can consider
https://www.foolishit.com/cryptoprevent-malware-prevention/

Since you are using Trendmicro consider Endpoint Security https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint/endpoint-application-control.html#features-tm-anchor

Eventually spend some time into awareness training and education, the technology can never be silver bullet if user is not vigilant. In fact they are the human firewall, run anti phishing campaign and you understand why they remain thw weakest link..
1
yodaaAuthor Commented:
Disable use of macro and active script from office and browser. They use macros in excel so I they need to have it on. Disabling scrips in Browsers that can be very frustrating for Staff hmm
0
masnrockCommented:
Quarterly training should be sufficient, as along as you're also communicating about major things that are going on. Have you also worked on putting GPOs in place to lock some certain features from users, such as Powershell. Do you users have administrator access to the PCs? (If yes, do they really need to be, and you will want to look at changing this down the road)

Another thing worth an eventual look is some sort of monitoring or logging mechanism so that you can know what's going on in terms of web activity. That will also help you with identifying dangerous things going on.
0
yodaaAuthor Commented:
Have you also worked on putting GPOs in place to lock some certain features from users, such as Powershell. Do you users have administrator access to the PCs? (If yes, do they really need to be, and you will want to look at changing this down the road) . Users dont have admin rights on local machines. Also could you guide me where could I disable GPO to turn off Powershell on each WKS?
0
btanExec ConsultantCommented:
You can still have some sort of blacklist and whitelisting without Applocker like from GPO, under User Configuration > Administrative Templates > System.

You should be able to find the “Run only specified Windows applications” setting and double-click it to open its properties dialog. But in this case, maybe better to block explicitly specific Powershell applications (E.g. Powershell and the Powershell_ISE for both x86 and x64 in the OS) rather than restricting them, you would open the “Don’t run specified Windows applications” setting instead. To run Powershell script you will need administrator rights.
1
Natty GregIn Theory (IT)Commented:
Lockout policy is once an infected computer is detected then it is blocked from accessing the network resources and internet until cleaned
1
Rich RumbleSecurity SamuraiCommented:
I think your initial question was answered :) Yes, there are Trojans that are hard to detect, and go undetected for years. APT's are good examples. Google got hit with an APT, and they were doing top notch security. In your organization you should "assume breach". Do not think your not breached, think you are already and don't know it. All the best practices have been laid out already.
Least privilege, segment network with access control, apply restrictive permissions on files and folders (services) that are important, train users not to open everything they are sent.
That's it.
UTM, NextGen this-n-that, all crap if you don't have the basics.

-rich
0
JohnBusiness Consultant (Owner)Commented:
Can you please come back and close the question?  Thank you.
0
JohnBusiness Consultant (Owner)Commented:
Thank you for following up.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.