When malware spreads on the network, panic ,magic vs calmness ,sanity


I love to talk about things that amaze me, this one is also one of the interesting ones. However, I will quickly come to the point.So there was a situation, where a network admin was in a real panic state. He was seeing a very weird behaviour on few machines on the network. He was using SCEP which was detecting the malware as coinminer but as soon as it was getting detected,the infected files were coming back on it. So admin's statement to that was "it appears SCEP is not detecting or not able to clean it" . 

After looking at this behaviour, I pulled my favourite tools, one of them does not need any installation "netstat -ano", that gave me all the incoming SMB(TCP 445) connections to this machine and obviously source machines as well. After I saw that , I used tool called network monitor( netmon 3.4 ) . I filtered the traffic for SMB traffic and could clearly see the IP address, that I saw in netstat -ano output sending SMB traffic ,trying to create infection file in users profile folders. Earlier ,these were same locations admin was showing me, where infection was coming back again after removal.

So I suggested them to take me to the machine ,which was sending this SMB traffic and trying to create these files. When we went there, we found SCEP was disabled. They had a group policy that disabled it, obviously it was not detecting and cleaning since it was not running at all. So I again used network monitor on this machine, to analyse the behaviour of this machine. I ran following filter in netmon where filename.exe is the exe file, this malware was trying to create on the target machine. Here path is usual path this malware was trying to create these files on target machine.

SMB2.CCreate.Name == "ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\filename.exe"

The output of this in network monitor gave me list of other machines, this malware was trying to infect from this machine, it was a huge list of machines. Admin used that list to check the status of SCEP on those machines and if they are detecting and cleaning on those machines. Meanwhile they also got this machine out of those GPOs which disabled SCEP on it.

So if SCEP was running as usual on this HUB of malware :), this issue would not have occurred at all.

Even if we are seeing this behaviour where AV is cleaning the malware and its coming right back. Its not the magical malware or some super malware, which will come right back after it got cleaned. If its coming back like this, obviously source is on the network. We have network protocols , which do certain things for us on the network. There are not too many protocols that do file access or share access on the network. In windows networks, we have SMB protocol for share and file access. Malware writers do not invent any new protocols, they use these existing protocols, to create files over the network on other machines,to spread infections on the network.

In one scenario, admin was looking for containment method, while he gets his infected machines cleaned using AV. In his scenario,I saw same method of file creation. one of the short term containment idea, that I gave them was to stop inbound SMB traffic, on these infected machines using windows firewall,using netsh command

"netsh advfirewall firewall add rule name ="block445in" protocol=TCP dir=in localport=445 action=block"

SMB may be required for GPO( to get RSOP reports) ,so you may want to revert this after you get back to normal ,but you can stop the spread using this idea.

I had another admin, who wanted to disable the NIC when their AV detects a malware(sounds paranoid, I know) , technically you can do that but it has challenges 🙂

Technique is simple , I have written a blog post sometime back to do few things based on event id : http://blogs.technet.com/b/sooraj-sec/archive/2013/05/03/generating-netstat-output-when-a-specific-event-occurs-in-the-eventlog-using-powershell.aspx

Get the VBS file as below

 

Step1 :Copy the contents of the script given in above post shown below in a notepad and save it as EvtMon.vbs and put this in a folder lets call it yourfolder e.g. in c:\yourfolder location

'======================================================================
' Print out the help when something is not typed in correctly or when
' nothing at all is typed in.

Public Sub PrintHelp
    Wscript.Echo "Usage:"
    Wscript.Echo "  EvtMon EventNumber [LogFileDisplayName]"
    Wscript.Echo "    LogFile is optional.  If used, the eventlog name"
    Wscript.Echo "    file ie, application, system, security, etc..."
End Sub

' Get the arguments.  Check for event nubmer and log file as arugments
Set objArgs = WScript.Arguments

' See how many arguments we have and colect them.
if objArgs.Count < 1 OR objArgs.Count > 2 Then
    PrintHelp
ElseIf objArgs.Count > 1 Then
    EventNumber = objArgs(0)
    LogFile = objArgs(1)
Else
    EventNumber = objArgs(0)
    LogFile = ""
End If

If EventNumber <> "" Then

    strComputer = "."

    ' Attatch to the WMI Service
    Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
            strComputer & "\root\cimv2")

    ' if the LogFile is populated add this to our query.  Create a
    ' Event Log monitoring object and send it a query.
    If LogFile = "" Then
        Set colMonitoredEvents = objWMIService.ExecNotificationQuery _   
            ("Select * from __InstanceCreationEvent Where " _
                & "TargetInstance ISA 'Win32_NTLogEvent' " _
                    & "and TargetInstance.EventCode = '" _
                    & EventNumber & "'")
    Else
        Set colMonitoredEvents = objWMIService.ExecNotificationQuery _   
            ("Select * from __InstanceCreationEvent Where " _
                & "TargetInstance ISA 'Win32_NTLogEvent' " _
                    & "and TargetInstance.EventCode = '" _
                    & EventNumber _
                    & "' and TargetInstance.LogFile = '" _
                    & LogFile & "'")
    End If

    ' Create an object which returns when the next event occurs.
    Set objLatestEvent = colMonitoredEvents.NextEvent
   
    ' Print some info based on the event log we encountered.
    Wscript.Echo objLatestEvent.TargetInstance.User
    Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
    Wscript.Echo objLatestEvent.TargetInstance.Message
    WScript.Echo objLatestEvent.TargetInstance.Logfile
    Wscript.Echo
End If

 

Step2. Use one of the batch files given below, each has different impact.

Following batch file can block in bound and outbound SMB traffic along with above script, you need to give the event id that your AV generates when it detects malware, please see the link I gave above to check the command.

 

======= you can copy it as 445-instop.bat from below=======

 

@echo off

 

cscript //NoLogo EvtMon.vbs %2 %3

powershell.exe -command "&  netsh advfirewall firewall add rule name ="block445in" protocol=TCP dir=in localport=445 action=block

powershell.exe -command "&  netsh advfirewall firewall add rule name ="block445out" protocol=TCP dir=out remoteport=445 action=block

ping -n 1 4.3.2.1

goto :EOF

=====================================================

 

Following batch file along with the vbs script in my blog post can be used to disable NIC for a particular eventid(AV generates for detection).

challenge with following is, you need to know the name of the NIC to disable, so its practically its not a feasible option 

========you can copy as NIC-disable.bat from below==========

@echo off

cscript //NoLogo EvtMon.vbs %2 %3

powershell.exe -command "&  netsh interface set interface "Wi-Fi" admin=disable

ping -n 1 4.3.2.1

goto :EOF

===================================================================================

This paranoid approach , to be honest, in my opinion is not very amazing, even with windows firewall and blocking ports, based on event id for malware detection because it will work for malwares, for which your AV has signatures, not for new variants. But if you want it done anyways, you can technically :).

For readers, I would welcome more ways of containment(ISC2's book on CISSP has given few but if you know things other then that ), if you are reading it you can add your methods in the comments.

Comments (2)

  1. Salman Sami says:

    Helpful really.

  2. Vasu Deva says:

    Great Work Suraj!
    but seems there is a messup in article published by MPC, under "symptoms" section, it says "if I have svchost.exe in my machine then I am infected with CoinMiner" 🙂

Skip to main content