Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: LAN Virus outbreak Procedures
From: Craig Freyman <craigfreyman () gmail com>
Date: Thu, 2 Sep 2010 22:15:13 -0600

You said ESET, right? You might of had another problem like a lot of us did today 
http://www.thinq.co.uk/2010/9/2/eset-nod32-antivirus-pains/

Ugh. Long day. 



On Sep 2, 2010, at 6:28 PM, Chris Keladis <ckeladis () gmail com> wrote:

Err TMPFILE location search was..

wmic environment list /format:list

Another handy one.. Need to find if a patch or "QFE" is installed? And
on what date and by whom? Try...

wmic qfe list brief /format:list



Cheers,

Chris.

On Fri, Sep 3, 2010 at 10:25 AM, Chris Keladis <ckeladis () gmail com> wrote:
No worries.

I nearly forgot, you dont even need to install SysInternals "pslist"
to copy a process-list to a share. Windows (from XP on i think) gives
you the tool already (see "tasklist" command).

Something like "tasklist > X:\my\network\share\user1_machine10.txt"

Also do variations like "tasklist /svc" to see services and their dependencies.

You can use the "wmic" tool locally or even remotely to pull info out
of machines (assuming the malware hasn't impacted WMI operating or
subverted it's results).

Get a list of popular auto-run locations..

wmic startup list brief

Or a more detailed list..

wmic startup list full

Put it in a nice HTML on a share..

wmic /output:Z:\share\user1_machine10_autoruns.htm startup list full
/format:hform.xsl

Need the machines BIOS info? Easy..

wmic bios get /format:list

Drives inside the machine?

wmic diskdrive list brief /format:list

Need to find TMPFILE locations malware likes to hide in?

wmic diskdrive list brief /format:list

And so on.. "wmic" will auto-install (no CD or CABs required) if never
used before, and you can remotely query machines on your LAN to gather
info via WMI to perform triage, assuming their XP or newer.

WMI can be installed as an add-on for prior releases.

All with no additional software installed. In your case however, keep
in mind the malware may have broken WMI and will likely require manual
clean-up.


Cheers,

Chris.


On Fri, Sep 3, 2010 at 7:20 AM, Tyler Robinson <pcimpressions () gmail com> wrote:
Thanks that is awesome advice I am starting thereand running ossim and
trying to analyze ya I could use 2 more people for sure but thanks everyone
again the advice given is invaluable keep any ideas coming I will be trying
a lot of things and hopefully can post what works and my experience to help
others .
TR

On Sep 2, 2010 3:08 PM, "Chris Keladis" <ckeladis () gmail com> wrote:
On Fri, Sep 3, 2010 at 5:24 AM, Tyler Robinson <pcimpressions () gmail com>
wrote:

Hey Tyler,

Thanks everyone for all the ideas the enviroment has about 350 machines
at
least all on flat domain can't vlan due to stupid software
configurations. I
have several systems that have to be live all the time (911 systems) and
vmware esx servers in cluster. Any other suggestions is again so much
appreciated I am willing to try just about anything right now I have a
lot
of angry users right now due to network performace ( for there
facebooking I
am sure) wanting this fixed and the sheriffs department has its busiest
week
of the year starting sat so please no idea will not be tried.

Ouch! Sounds like you need more hands and eyes on the problem :)

The only thing i can think of, bar running around to 350 PCs is maybe
sample a few to understand what malware you've got going on.

Make use of Microsoft's (ex-Sysinternals) tools to investigate.
AutoRuns, ProcExp, etc etc.

One handy tip when using ProcExp, dont "kill" malicious processes,
rather, "pause" or "freeze" them. Most malware these days have SIGKILL
handlers to spawn their cousins when their killed and you end up with
more problems.

Once you understand what you've got going on you can perhaps download
a removal tool and make everyone run it.

Also keep in mind sensitive information may have been leaked by the
malware, so once you have a handle on the situation, change ALL
passwords, and follow up on anything important that might have leaked
out of the organization (this may have ramifications down the track).

Most malware infections these days aren't one-off's (they use
droppers, stagers, load root-kits and other add-ons) so you can try to
control the primary infection on the LAN, but at some point manual
review will be needed as well, eg, booting off a USB key/CD and
checking for rootkits etc etc..

Also tell people to stop using any form of removable media to avoid
the (re)spread in or out of the organization, until you get a handle
on the situation.

Maybe you can script something and use Sysinternals tools like
"pslist" to copy a process list to a share you can then analyze
further? Maybe setup a job via the RunOnce reg-key or Scheduler and
ask everyone to reboot (RunOnce) or wait (Scheduler), so you at least
get a peak into the processes running and can make a plan of attack.

Hope i've given you some practical advice, unfortunately since the
previous admin hadnt set up controls to mitigate you face a very
difficult task.

But, this disaster may give you the ammunition you need to make
improvements! :)


Cheers,

Chris.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]