Re: pesky malware

[Curt Wilson <curtw () SIU EDU>]

I've seen "cleaning" tools fail many times, and ongoing review of active
malware over the last few years shows that many antivirus apps fail at
detection and certainly at "cleaning" many times.

My suggestions:

1) agressive update of OS + all third party apps (use Secunia OSI to
detect vuln 3rd party apps)
2) don't surf as admin/power user
3) educate users about social engineering tricks
4) don't trust anti-malware tools, and don't trust "cleaning" tools.
Wipe and reload, after analyzing for data breaches.
5) don't store sensitive data, and encrypt it if it must be stored
6) Use the bothunter IDS rules (many culled from Emering Threats) to
detect some infections that get by the defenses

Even with these defenses, timing is important, and anyone can still get
hit with a 0day attack in the right circumstances, so it's important to
add defense in depth, reduce the attack surface

LuckySploit and other malware kits are out there and are compromising
systems. I've seen compromises of various systems due to vulnerable
versions of Flash and Adobe Reader lately, and the chain of activity
afterwards is lengthy. I've also seen activity involving multiple
infection types such as Zeus and infostealer trojans, combined with
adware-ish trojans such as Vundo, and of course tons of rogue
anti-malware apps.



Barros, Jacob wrote:
> We have found a number of machines infected with Trojans and other
> malware and are struggling with removal.  It appears that each machine
> is infected with a generic downloader which grabs random malware making
> each infection different.  Most machines have been Windows XP, all
> windows updates applied.  We are using McAfee VirusScan Enterprise, but
> at this point, McAfee is not effective at finding and cleaning the
> machines.
>
> So far McAfee has found the Generic!atr Trojan, Generic Downloader.x
> Trojan and the Sality.gen.c Virus.  However, there is still something
> running on our machines that is not being detected.  We know this by the
> existence of a registry entry in HKLM\Software\Microsoft\Windows\Current
> Version\Run.  File name is always different but the key calls
> 'rundll32.exe' at 'c:\windows\randomname.dll'.  Also, most infected
> clients are running 'services.exe' which is trying to connect to
> multiple hosts outbound on port 25 (which McAfee has blocked).  Other
> than that, there is no unusual network activity coming from any of these
> machines.  Delete the file and registry key, reboot and it's back.
> System restore turned off.  No other invalid services running. Used
> HijackThis to examine startup items.
>
> A copy of the dll has been submitted to WebImmune, but we have not heard
> back.  We are unsure of the method of infection but it appears to be
> contained.  Trouble is, we don't have a consistent way of cleaning it.
> At this point, we are not trying to clean faculty and staff machines
> anymore but are just pulling the hdd's and giving them new hardware with
> a clean image.  I am told the techs have had success on student's
> machines with combo's of Malwarebytes, Avira AV, Spybot SD and
> SuperAntispware but have not seen those logs yet.
>
> Anyone else finding this type of behavior?  Advice?
>
> Jacob Barros
> Network Administrator
> Grace College


--
Curt Wilson
SIUC IT Security Officer & Security Engineer