Educause Security Discussion mailing list archives
Re: pesky malware
From: Curt Wilson <curtw () SIU EDU>
Date: Fri, 17 Apr 2009 11:05:04 -0500
I've seen "cleaning" tools fail many times, and ongoing review of active malware over the last few years shows that many antivirus apps fail at detection and certainly at "cleaning" many times. My suggestions: 1) agressive update of OS + all third party apps (use Secunia OSI to detect vuln 3rd party apps) 2) don't surf as admin/power user 3) educate users about social engineering tricks 4) don't trust anti-malware tools, and don't trust "cleaning" tools. Wipe and reload, after analyzing for data breaches. 5) don't store sensitive data, and encrypt it if it must be stored 6) Use the bothunter IDS rules (many culled from Emering Threats) to detect some infections that get by the defenses Even with these defenses, timing is important, and anyone can still get hit with a 0day attack in the right circumstances, so it's important to add defense in depth, reduce the attack surface LuckySploit and other malware kits are out there and are compromising systems. I've seen compromises of various systems due to vulnerable versions of Flash and Adobe Reader lately, and the chain of activity afterwards is lengthy. I've also seen activity involving multiple infection types such as Zeus and infostealer trojans, combined with adware-ish trojans such as Vundo, and of course tons of rogue anti-malware apps. Barros, Jacob wrote:
We have found a number of machines infected with Trojans and other malware and are struggling with removal. It appears that each machine is infected with a generic downloader which grabs random malware making each infection different. Most machines have been Windows XP, all windows updates applied. We are using McAfee VirusScan Enterprise, but at this point, McAfee is not effective at finding and cleaning the machines. So far McAfee has found the Generic!atr Trojan, Generic Downloader.x Trojan and the Sality.gen.c Virus. However, there is still something running on our machines that is not being detected. We know this by the existence of a registry entry in HKLM\Software\Microsoft\Windows\Current Version\Run. File name is always different but the key calls 'rundll32.exe' at 'c:\windows\randomname.dll'. Also, most infected clients are running 'services.exe' which is trying to connect to multiple hosts outbound on port 25 (which McAfee has blocked). Other than that, there is no unusual network activity coming from any of these machines. Delete the file and registry key, reboot and it's back. System restore turned off. No other invalid services running. Used HijackThis to examine startup items. A copy of the dll has been submitted to WebImmune, but we have not heard back. We are unsure of the method of infection but it appears to be contained. Trouble is, we don't have a consistent way of cleaning it. At this point, we are not trying to clean faculty and staff machines anymore but are just pulling the hdd's and giving them new hardware with a clean image. I am told the techs have had success on student's machines with combo's of Malwarebytes, Avira AV, Spybot SD and SuperAntispware but have not seen those logs yet. Anyone else finding this type of behavior? Advice? Jacob Barros Network Administrator Grace College
-- Curt Wilson SIUC IT Security Officer & Security Engineer
Current thread:
- pesky malware Barros, Jacob (Apr 17)
- <Possible follow-ups>
- Re: pesky malware Basgen, Brian (Apr 17)
- Re: pesky malware McCrary, Barbara (Apr 17)
- Re: pesky malware David Boyer (Apr 17)
- Re: pesky malware Holland II, Richard H (Apr 17)
- Re: pesky malware Curt Wilson (Apr 17)