Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Hosts File Modified

  • 1.  Hosts File Modified

    Posted Sep 07, 2011 10:18 AM

    Running into a problem this morning. It was picked up last night that the hosts file was modified on many computers as far back as August 19th. SEP is installed on all these systems and is up to date. It hasn't picked up anything. Based on a little google research this issue is usually acompanied by a FakeAV infection. However I can neither detect nor have record of this being blocked on these machines. I can fix the machines fairly easily but I'm mainly concerned with the mechanism of infection. Any clues?

    Sample of the host file.

    89.149.230.156 www.google.de

    89.149.230.156 www.google.fr

    89.149.230.156 www.google.co.uk

    89.149.230.156 www.google.com.br

    89.149.230.156 www.google.it

    89.149.230.156 www.google.es

    89.149.230.156 www.google.co.jp

    89.149.230.156 www.google.com.mx

    89.149.230.156 www.google.ca

    89.149.230.156 www.google.com.au

    89.149.230.156 www.google.nl

    89.149.230.156 www.google.co.za

    89.149.230.156 www.google.be

    89.149.230.156 www.google.gr

    89.149.230.156 www.google.at

    89.149.230.156 www.google.se

    89.149.230.156 www.google.ch

    89.149.230.156 www.google.pt

    89.149.230.156 www.google.dk

    89.149.230.156 www.google.fi

    89.149.230.156 www.google.ie

    89.149.230.156 www.google.no

    89.149.230.156 search.yahoo.com

    89.149.230.156 us.search.yahoo.com

    89.149.230.156 uk.search.yahoo.com

    89.149.230.156 www.bing.com



  • 2.  RE: Hosts File Modified

    Posted Sep 07, 2011 10:22 AM

    Did u run full scan? any suspecious process in task manager?



  • 3.  RE: Hosts File Modified

    Posted Sep 07, 2011 10:42 AM

    Upgrading to SEP 12.1 can stop this as it has the ability to stop modifications to a HOST file rather easily.

    You can create an app and device control policy in SEP 11.x to stop this as well.

    I would run a full scan in safe mode



  • 4.  RE: Hosts File Modified

    Posted Sep 07, 2011 10:59 AM

    Sorry, the idea of going to 12 just to stop this is a little beyond reasonable. I mean it seems like a simple issue. I mainly concerned with how this happened without SEP noticing. If it's a worm, why didn't it detect the worm. If it's a webpage, why didn't it block the software or script that made the change. In other words, it shouldn't have made it to the point where it could change the hosts file.



  • 5.  RE: Hosts File Modified

    Trusted Advisor
    Posted Sep 07, 2011 11:05 AM

    Hello,

    Since the changes have already taken place, what you can do is manual undo the changes.

    After you have undone the changes.

    You can create a Application Control Policy, like to this below:

    by Creating this policy, thereforth onwards all the modifications to the host file would be blocked.

     

    Hope this works for you!!!



  • 6.  RE: Hosts File Modified

    Posted Sep 07, 2011 12:13 PM

    I've tried application and device control before for another issue. Apparently it conflicts with the Embassy Suite TPM software on all of our Dells. I haven't tried it since doing several upgrades to SEP but I'm leary of activating this service.



  • 7.  RE: Hosts File Modified

    Trusted Advisor
    Posted Sep 07, 2011 02:38 PM

    Hello,

    I would request you to check the same on 1 test machine.

    Hope that helps!!



  • 8.  RE: Hosts File Modified

    Posted Sep 07, 2011 03:20 PM

    There is a SEP hardening policy available that you can install. I would install this in your test environment first before going into production.

    Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security

    http://www.symantec.com/business/support/index?page=content&id=TECH132337&locale=en_US

    One other thing to check is your SEP security settings. Make sure you follow the Security Response recommended settings as shown below.

    Security Response recommends the following Scan Settings

     

    Antivirus Security Setting Default Setting High Security Policy Security Response Recommendation
    Lock settings Some Some All
    Remediation: terminate processes No No Yes
    Remediation: terminate services No No Yes
    Auto-Protect action taken for security risks Quarantine/Log Quarantine/Log Quarantine/Delete
    Network Auto-Protect Disabled Enabled Enabled
    Bloodhound Level Default (2) Default (2) Default (3)
    SEP Startup System Start System Start System Start
    Auto-Protect Scan Modify and access Modify and access Modify and access

    Security Response recommends the following setting changes to Truscan for best protection

     

    Truscan Default Setting Security Response Recommendation
    Scan Sensitivity 9/Low 100
    Action on Detection Log Terminate
    Scan Frequency 1:00 00:15

    http://www.symantec.com/business/support/index?page=content&id=TECH122943&locale=en_US

     

    Best,

    Thomas



  • 9.  RE: Hosts File Modified

    Posted Sep 07, 2011 05:29 PM

    Thank you for the hardening procedure, however my original concern was how this happened, what avenue of attack allowed this.

    There were 107 affected machines. Of those machines only 37 have ever had a Single Risk Event, the other 70 have never detected a threat. Of those 37, only 7 have detected a threat after the Aug 16 date when this change was originally recorded. I would still like to know what infection caused this, because based on these numbers, it could still be hanging around and I would not know it.

     

    EDIT: Edited for some bad math on my part



  • 10.  RE: Hosts File Modified

    Posted Sep 08, 2011 12:48 PM

    I too am in the discovery phase of this issue.  We have identified 100's of PCs and servers that got hit as well as THE SEPM ITSELF!!!!!.  How could this happen undetected?????  I am looking for a root cause at this point while we are manually trying to edit the hosts file back to the original as we have many internal entries in different departments.

    Any help on this issue is greatly appreciated as there seems to be very little information on the web at this point.

    Regards,

    James



  • 11.  RE: Hosts File Modified

    Posted Sep 08, 2011 03:06 PM

    It happened because 11.x doesn't have any way of monitoring the HOST file other than an application control policy. So if you didn't have this in place than it will go unnoticed. 12.1 has this built-in to SONAR.

    SEP excluded, you could always set this file to read-only with Windows built-in security.

    Unfortunately, the HOST file is used for malicious activity nowadays so something should be put in place but simply editing it is not likely to be caught by SEP 11.x, it doesn't know if it's being edited for malicious reasons. Luckily, 12.1 has this ability now though.



  • 12.  RE: Hosts File Modified

    Posted Sep 08, 2011 07:31 PM

    I have the exact same entries in the hosts file on about 10 machines where I work. The modifed date is August 17th and all the hosts files were modified within the span of 2 minutes. A full system scan does not detect any viruses and there does not appear to be any unrecognized processes running. As the original poster said, I am mainly concerned with what caused the hosts files to be modified and if there is anything still kicking around on these machines.

    I will be going through one of the affected machines tomorrow with a fine tooth comb. If I can find anything relevant I will be sure to post an update. If anyone has any insight into the root cause of these changes, I would greatly appreciate it.



  • 13.  RE: Hosts File Modified

    Posted Sep 08, 2011 07:51 PM

    It can only be a few things: automated script to change it, perhaps for in-house programs, human interaction, or malware.

    If there is an undetected virus on the system, it will be possible to tell but very hard to pinpoint since the purpose of the virus is to be FUD any way.

    You can always try some second opinion scanners like Malwarebytes or Hitman Pro to see what they find.

    Do the AV logs reveal malicious activity in the past? If not, you may have something currently undetect by SEP on it.



  • 14.  RE: Hosts File Modified

    Posted Sep 09, 2011 04:25 AM

    I agree with Brian,

    This infection might be on the wild and has yet detected by SEP (it does happens):

    1) Raise a log to Support for asistance, they will probably ask you to get SEP Support tools log 1st.. etc

     

    2)

    - Use reliable 3rd party AV/AM and scan 1 infected machine for source file, ex: Malwarebytes, Hitman Pro

    - Once you got the source file, upload it to virustotal.com and Symantec threat submission

     

     

    Hope this helps