Permabanned
- Joined
- 28 Dec 2009
- Posts
- 13,052
- Location
- london
Two of the sites that i support have been attacked by the same advanced malware in the past few weeks. What it appears to do.
1) comes in through the web, most likely a java exploit.
2) once infected one pc it exploits the thumbs.db file in open network shares to spread further.
3) once it infects open network shares it deletes the thumbs.db and sys files with infected trojan files.
4) it hides all files and folders on the network share and creates .lnk files in their place with exactly the same name with the weirdest shortcuts, like, "cmd /c cscript hjkhdbh.dki cmd thumbs.db hjklhtjkwq.di"
We have sophos end point installed, it detected the client infection but could not clean it. First thing i did was remove all network shares with "everyone" permissions and replaced with authenticated users. Unshared all infected shares and removed all infected data and fixed. At the same time removed the infected client machine from the network, deleted the users network profile and gave them a new pc. I think i have cleared it all now but this realy has the hallmarks of a targeted attack that has created multiple root kits all over the network. Hopefully it is not in any printers. It went straight for the accounts related machines and embedded itself. We have a mapped drive that converts word docs to pdf and you just copy a word doc in there and it converts it to pdf. Well i found the infected files in this share, so potentially every user that browsed to that mapped drive has done a reverse tcp out to his box in (china?).
Not very good episode, lesson; remove all "everyone" writeable shares on the network. But now this pdf share seems to be a security risk... I am making a new build with office 2010 and will not put java in it, it will be added on request and removed afterwards.
just found this:
http://social.technet.microsoft.com.../thread/fbc49141-96b3-4350-870a-5b74dcf59c20/
1) comes in through the web, most likely a java exploit.
2) once infected one pc it exploits the thumbs.db file in open network shares to spread further.
3) once it infects open network shares it deletes the thumbs.db and sys files with infected trojan files.
4) it hides all files and folders on the network share and creates .lnk files in their place with exactly the same name with the weirdest shortcuts, like, "cmd /c cscript hjkhdbh.dki cmd thumbs.db hjklhtjkwq.di"
We have sophos end point installed, it detected the client infection but could not clean it. First thing i did was remove all network shares with "everyone" permissions and replaced with authenticated users. Unshared all infected shares and removed all infected data and fixed. At the same time removed the infected client machine from the network, deleted the users network profile and gave them a new pc. I think i have cleared it all now but this realy has the hallmarks of a targeted attack that has created multiple root kits all over the network. Hopefully it is not in any printers. It went straight for the accounts related machines and embedded itself. We have a mapped drive that converts word docs to pdf and you just copy a word doc in there and it converts it to pdf. Well i found the infected files in this share, so potentially every user that browsed to that mapped drive has done a reverse tcp out to his box in (china?).
Not very good episode, lesson; remove all "everyone" writeable shares on the network. But now this pdf share seems to be a security risk... I am making a new build with office 2010 and will not put java in it, it will be added on request and removed afterwards.
just found this:
http://social.technet.microsoft.com.../thread/fbc49141-96b3-4350-870a-5b74dcf59c20/
Last edited:
