Link to home
Start Free TrialLog in
Avatar of yodaa
yodaa

asked on

Trojan

I have read below article.

So if this trojan is very hard to detect actually it can run in my company and  I will never know. Any guides ?


http://thehackernews.com/2017/03/github-email-scam.html
Avatar of John
John
Flag of Canada image

These questions keep coming up.

1. You need TOP NOTCH, and BEST Spam Filtering. This is essential.

2. Train your users not to open emails from strangers. Delete these.

This is your best defense.  I see this crap in my email spam quarantine, so the email approach is prevalent.
Avatar of btan
btan

Advocate hardening of machine via
- application whitelisting to disallow running of macro and powershell, avoid enabling any unnecessary active script
- avoid having running unwanted programs, also referred as “PUP” (Potentially Unwanted Programs) to intentionally slow down your computer.
- update IPS and AV signature minimally this sample is detected.
- check on DNS requested server IP address that can be blacklisted or ill reputed. There is DNS aware firewall
- check for outbound HTTP POST requests to another Google domain, gmail[.]com or similar which can have the data size large to indicate likely leakage
1) How did Troj/Dimnie-A get on my Computer?
Troj/Dimnie-A can gain entry onto your computer in several ways. Some of the common methods of Troj/Dimnie-A infection include:
Downloads from questionable websites
Infected email attachments
External media, such as pen drive, DVD, and memory card already infected with Troj/Dimnie-A
Fake updates that trick you installing them
Programs posing as fake virus removal tools
Infected documents circulating on peer-to-peer (P2P) file sharing networks, torrent sites, and IRC channels

2) Symptoms of Troj/Dimnie-A Infection
The primary symptoms of Troj/Dimnie-A infections are:
Computer behaving unpredictably
Unexpected operating system error messages
Blue screen errors in Windows
Sluggish computer performance
Programs stop responding and show “Not Responding” error messages
New files getting created at the root-level of a hard drive
Spam messages unknowingly being sent from your email account
Mysterious files and folder deletions

3) Removing Troj/Dimnie-A from your Computer
To get rid of Troj/Dimnie-A from your computer, perform the following steps:
Use an anti-malware program
Clean your Windows Registry
Top of the list is over-permissioning of users both locally (local administrators) and on network resources (full rights on all company files of shared drive for example)
You want to look at IOCs. I recently added a long list of domains known to be related to this. If you block those, then you can at least be sure systems are not contacting the C&C domains.

http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/?adbsc=social71113356&adbid=846693442872786944&adbpl=tw&adbpr=4487645412

However, I cannot stress enough that policy and education are key in this. Technology will help to an extent, but you also need to be sure that you're properly doing user awareness training. Users are the last line of defense. They need to know to at least report when they mess up (let's be honest, nobody is perfect), but just as importantly they need to be able to identify signs of suspicious emails.
Avatar of yodaa

ASKER

Hi Guys,

Thank you for the info.

Do you know good links or the best practice for  user awareness training ?
This is a non-exhaustive list, as there are a ridiculous number of options out there...
SANS Institute
Wombat Security

KnowBe4 has a free phishing simulator test for up to 100 users: https://www.knowbe4.com/phishing-security-test-offer

Then you even have a number of vendors that offer the ability to user a library of training material that can be customized in some ways, such as MediaPro.
Avatar of yodaa

ASKER

2) Symptoms of Troj/Dimnie-A Infection
The primary symptoms of Troj/Dimnie-A infections are:
Computer behaving unpredictably - someties windows 10 behaving unpredictably
Unexpected operating system error messages - hmm
Blue screen errors in Windows - Sometimes this happen on few machines
Sluggish computer performance
Programs stop responding and show “Not Responding” error messages - this sometimes can happen in widnows 10, expecially excel files
New files getting created at the root-level of a hard drive - what do you mean by that  ?  where should I check it?
Spam messages unknowingly being sent from your email account - twice happen to one of the user but I checked IP in exchange and it was sent from different IP location etc. so I think it was spoofing email.
Mysterious files and folder deletions
Avatar of yodaa

ASKER

1. You need TOP NOTCH, and BEST Spam Filtering. This is essential.
We have default spam filtering system from exchange also we have ATP.

2. Train your users not to open emails from strangers. Delete these.  
Actually they are good with this.
Avatar of yodaa

ASKER

Sorry for my English.  
* Sometimes this happened on few machines
I normally use a good third party spam filtering system and not rely upon Exchange. Ipswitch (.com) has a good spam filtering system. Barracuda is also decent.
New files getting created at the root-level of a hard drive - what do you mean by that  ?  where should I check it?
Check for strange files on the C drive, in the Windows folder, or even in the Windows system folders. I know, it's easier said than done.

It sounds like you have some system items to be checked, but it may not necessarily be Dimnie that is the cause.

What do your security policies, including patch cycles, look like today? Also, what type of training do you presently do?
Avatar of yodaa

ASKER

We have few security layers  

  1. Firewall
  2. All no needed ports are closed.
  3. Default Spam/malware filters in Exchange plus ATP. https://products.office.com/en-ie/exchange/online-email-threat-protection
  4. Trend Micro for business on all WKS and servers with console management.
  5. Another endpoint on each WKS and Server from Malwarebytes  with the management console https://www.malwarebytes.com/business/endpointsecurity/ 
Everything is up to date- Flash, java, OS, Adobe, Chrome etc.
SOLUTION
Avatar of John
John
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of yodaa

ASKER

John,

We do training every 6 month.  But now I am planning to do  IT training every 2 months
Turn on your Applocker if running Windows. You only allow certain application to run and that restrict the couple of exposure that leads to infection with running of unauthorised application.

Removing admin rights for user also augment such that exploitation still requires infection to escalate its privileges though it may be non trivial.

Keep your patch and signature to latest for your HIPS and OS. Also consider anti ransomware like from malware bytes or Winpatrol AntiRansom.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of yodaa

ASKER

We have windows 10 pro so we cannot use Applocker.

Staff dont have admin rights  locally or network. Only IT admin have this privileges.
Avatar of yodaa

ASKER

1. Good UTM - In place
2. Firewall - In place
3. Antivirus on every computer - In place
4. Limited access to resources - in place
5. Central management of antivirus so you can scan each computer on the network, while the users work - In place
6. User has no rights to install anything --- I know tedious but if they can install anything chances are Trojan or viruses can not be executed- In place
7. once a month 15 minutes meeting on reminding users of how phishing works, what to do when on line - I am planning to do this every 2 months now.
8. lockout policy for infected computers - What do you mean by that?
9. Education-  I send email to staff ever time when there is a new malware, campaigns etc.
Disable use of macro and active script from office and browser.
There is Cryptoprevent that doe whitelisting which you can consider
https://www.foolishit.com/cryptoprevent-malware-prevention/

Since you are using Trendmicro consider Endpoint Security https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint/endpoint-application-control.html#features-tm-anchor

Eventually spend some time into awareness training and education, the technology can never be silver bullet if user is not vigilant. In fact they are the human firewall, run anti phishing campaign and you understand why they remain thw weakest link..
Avatar of yodaa

ASKER

Disable use of macro and active script from office and browser. They use macros in excel so I they need to have it on. Disabling scrips in Browsers that can be very frustrating for Staff hmm
Quarterly training should be sufficient, as along as you're also communicating about major things that are going on. Have you also worked on putting GPOs in place to lock some certain features from users, such as Powershell. Do you users have administrator access to the PCs? (If yes, do they really need to be, and you will want to look at changing this down the road)

Another thing worth an eventual look is some sort of monitoring or logging mechanism so that you can know what's going on in terms of web activity. That will also help you with identifying dangerous things going on.
Avatar of yodaa

ASKER

Have you also worked on putting GPOs in place to lock some certain features from users, such as Powershell. Do you users have administrator access to the PCs? (If yes, do they really need to be, and you will want to look at changing this down the road) . Users dont have admin rights on local machines. Also could you guide me where could I disable GPO to turn off Powershell on each WKS?
You can still have some sort of blacklist and whitelisting without Applocker like from GPO, under User Configuration > Administrative Templates > System.

You should be able to find the “Run only specified Windows applications” setting and double-click it to open its properties dialog. But in this case, maybe better to block explicitly specific Powershell applications (E.g. Powershell and the Powershell_ISE for both x86 and x64 in the OS) rather than restricting them, you would open the “Don’t run specified Windows applications” setting instead. To run Powershell script you will need administrator rights.
Lockout policy is once an infected computer is detected then it is blocked from accessing the network resources and internet until cleaned
I think your initial question was answered :) Yes, there are Trojans that are hard to detect, and go undetected for years. APT's are good examples. Google got hit with an APT, and they were doing top notch security. In your organization you should "assume breach". Do not think your not breached, think you are already and don't know it. All the best practices have been laid out already.
Least privilege, segment network with access control, apply restrictive permissions on files and folders (services) that are important, train users not to open everything they are sent.
That's it.
UTM, NextGen this-n-that, all crap if you don't have the basics.

-rich
Can you please come back and close the question?  Thank you.
Thank you for following up.