John, Jack,
Thanks for the advice. I’m concluding for now that it’s easier (faster for the user) to wipe and restore critical files. I’ll image the drive before the wipe – in case
I miss an important file, or to learn some of the tools you suggested the hands-on way. Thanks for the tips!
Cheers,
Shaun Leininger
Information Technology Professional
Department of Anthropology
517-884-0388
From: John Resotko [mailto:resotko@LAW.MSU.EDU]
Sent: Wednesday, May 08, 2013 9:57 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] Botnet / Possible Rootkit Infection: "Shipping Status" Email
My bot/rootkit tools usually include:
Comodo Cleaning Essentials, especially the Killswitch.exe program
VIPRErescue run in safe mode, although I'm finding that it isn't keeping up, and newer bots are getting past it.
Hiren's Bood CD, a great tool for booting from to prevent memory resident bugs from taking hold so you can run clean scans
RUBotted is a good tool post-cleanup, as it continues to monitor traffic and look for bot-like behavior.
Generally, most bot-net and similar trojans now install themselves in several places, and often install binaries in pieces that are re-assembled on reboot to reinfect the machine. These days,
if I can't get three different virus scan tools to run clean in safe mode, I'll just wipe and re-image the computer after recovering critical files. You can spend way too many hours on cleanup, and still not be 100% sure you removed all the bugs. Good luck
to you!
Assistant Director, Systems Administration and Support
Michigan State University College of Law
648 N. Shaw Lane, Room 208 Law College
East Lansing, MI 48824-1300
email: [log in to unmask]
Phone: 517-432-6836
Fax: 517-432-6861
>>>
Maybe see what, if anything, ComboFix finds?
Manager of Information Technology
Communications and Brand Strategy
Michigan State University
w: 517-884-1231 / c: 248-635-4955
Just figured I’d pass on a nasty infection I’m cleaning up, in case anyone else sees the same type of hit, or has advice for cleanup.
User was infected by an e-mail – “Check Shipping Status / Tracking Information” type e-mail that is common. I don’t have a sample of the e-mail, user had already deleted it (and cleared deleted
items). Machine is Win-7 64 SP1, fully patched, with fully up to date Java (7u21) and Flash (11…..169), installed. User has no admin privileges.
Only symptom is popups from Symantec Endpoint Protection’s Email protection service flagging and blocking outbound e-mails with similar titles – distributing itself, probably as part of a botnet.
I immediately pulled it from the network when the user brought it to me, and have been scanning it offline, in safe mode. No hits from Malware Bytes full scan, no hits yet on Symantec full scan – we’ll see in the morning. Hijack this doesn’t show me anything
unusual in startups/services. Nothing obvious in the system logs. At this point, I’m figuring this is a new exploit that isn’t detected yet by common definitions, the machine is owned and part of a botnet, and reformatting and reimaging.
Nasty bit is that there would have been no detection of a problem until someone in the networking group came knocking on my door reporting an issue, or some other symptoms had manifested ---
except that Symantec Email protection flagged/blocked some of the outgoing messages. Would have been a lot nicer if it stopped the infection or caught it in a scan, though…
Shaun Leininger
Information Technology Professional
Department of Anthropology
517-884-0388
|
