Endpoint Protection

Hi Team,

How do you find the source of W32.Downadup.B in a Network of more than 1000 computers?

thanks...

Hi Team,

Just for starters, W32Downadup.B virus infects just a small part of our network but had locked up many login Accounts. as in Many... this is because it tries to login as many login accounts in the office... good thing at 3 misses they account will no longer take retries but bad thing is the account is locked. 

I used the risk log in SEPM to track it down. It will show the source. In my case, Conficker brute forced a domain admins password and tried to propagate using those credentials. When I saw the credentials being used on numerous machines, I knew that was the problem. Once the password was changed, the problem went away.

but for ours... the accounts keeps on being locked... because the virus again tries to login to them... how did you use SEPM? when did you see that it was the source? the first one?

Take the help of risk tracker
Refer this article
Worms and threats that spread across networks by network shares have become more common in recent years.--Like Downadup/Conficker 

run Combo Fix And try to remove permanently

http://www.combofix.org/download.php

W32.Downadup is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. SO applying the Microsoft patches is mandatory

Patches for Downadup(1 for RPC and another for IE)
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

This virus copy itself in the recycle bin, uses scheduled jobs and autorun function to load the content in memory and infect the system. It also change the registry disabling the "show hidden files" function so the operating system itself is unable to show this file to the administrator and our antivirus is unable to detect the file.

How to proceed after applying the patches

1. Disable autorun(Reference: Microsoft KB)
http://support.microsoft.com/kb/953252

2. Temporarily Disable the "Server" and "Computer Browser" services (if possible)
Disabling the Computer Browser and Server service on the affected systems will help protect systems from remote attempts to exploit this vulnerability.

3. Temporarily Disable the "Task Scheduler" service
Disabling the "Task Scheduler" will help protect systems from local attempts to use scheduled tasks to copy infected files all over the network.

4. Disconnect the network drives/shares(Admin$ and C$)

Then install the latest available definitions from Symantec and run a full system scan on all the machines on the network to resolve the issue.

If you have a corporate firewall, the sources can be traced from there as well, as the sources try to connect to the firewall ALOT.

You can also use the program  "eventcomb" to track down from which computer the accounts are locked.

Yes, I do have risk tracer on. And yes, I had to do some back tracking through the logs to see when it all started plus I have a good amount of notifications setup to warn me of outbreaks, etc. Then was able see in the risk log what the source username/pc it was coming from was. Because it was only 1 network account trying to propagate, I had them change their password as well as run the Conficker removal tool.

Hello,

What is Risk Tracer?

Hello,

Incase, we don't have Network Threat Protection Installed on Machines, then we could try NMAP (http://insecure.org/)


NOTE: NMAP is not Supported by Symantec. However, have proved to be effective.

hi dvdmeer,

Do you have a link where I could get a eventcomb?
Many thanks.

HI Brian81,

How do you use the risktracer?

Hi Mithun,

How does an NMAP works?
do I need to install this to all machines?
I will check on the other links provided by the others also.
But I sure need this to give me breathing room.
Viruses are getting too big to get attention from the IT Leaders here.
thanks. 

Hello Nel,

Please check the link provided above, the same would explain you all in regards to the Risk Tracer and NMAP.

Hello Nel,

Please check the link provided above, the same would explain you all in regards to the Risk Tracer and NMAP.

Inaddition to this, Check the following link:

Best Practice for Downadup.B and Additional information on the same.

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

 

First, make sure it's enabled:



Then navigate to:



Now mind you, I had to do some back tracking thru the logs to see when the first attacks started. Once you find it, highlight the line and select "Details"



The details page will come up and show you the source of the attacks:

Thanks all for the kind feedback...
We shall check this... 

Is NMAP compliant over SAV 10.1?

NMAP is a different software, it only checks for open ports and does not conflict with Symantec security products.

Install NTP on all the PC's
Do not use weak passwords.
Do not keep open sharing.
Export  NTP logs & check for event description :- [SID: 23179] MSRPC Server Service BO detected.  Traffic has been blocked from this application: C:\WINDOWS\system32\ntoskrnl.exe
Check the Remote IP PC.
Login to that attacker PC go to C:\windows\system32 & search for hidden .dll
Note :-  there should not be any .dll file hidden.
Use fixdownadup remover & scan the PC this will remove Downadup.b virus.

Regards...
Ramji Iyyer