0

Some users on our network were infected recently with the AntiVirus Pro 2010 virus. The users disabled the anti-virus to install an application that resulted in AntiVirus pro being installed on the systems (we're unable to get a straight story as to where or why they tried installing this application).

The virus was removed by using BackTrack 4 to edit registry settings and delete the infected file. We then enabled the anti-virus (Avast) and ran a full virus scan, that returned zero results. We then attempted to use the Auto-update functionality of the anti-virus that resulted in a "Connection Failed" message.

Upon testing connectivity using PING and other tools that utilize ICMP, we were able to verify connectivity to servers within our LAN and WAN (and DNS lookups). However when attempting to connect to any website (via DNS or IP) within our LAN or WAN we received a "Connection Timed out". Additionally an FTP connection is possible as well as a major of other protocols. The system hosts (C:\WINDOWS\system32\drivers\etc\hosts) file has been checked and contains no irregular entries. It seems that specifically port 80 traffic is being blocked, we believe its remnants of the virus.

Are there any suggestions that resolve this issue? We have searched extensively and used all tools that are available specifically to remove this virus. We have even tried attempting to find a full list of modifications that the virus makes and have one of our developers running a simulation in an emulated environment to attempt to come up with this list.

Zyris Technology Team
  • 121
  • 2
  • 1
    Not a solution to your problem, but please consider removing administrative rights from your regular users (or atleast from the ones who innstalled this junk). – pauska Nov 29 '09 at 12:36
  • The user who actuality caused the infection and convinced others to do was a member of the IT department, he as since been let go, and our IT procedures have been modified to prevent this from happening again. We have also restored users credentials to their regular values (He elevated all users to administrators during this incident). – Zyris Technology Team Nov 29 '09 at 12:42
  • Not to add to your pain, but saying that your IT procedures have been modified to prevent this from happening again may make you feel all warm and fuzzy, but what's to stop someone from doing something like this again? Have you implemented technical restrictions to prevent this type of occurence or have you simply implemented or ammended your AUP? – joeqwerty Nov 29 '09 at 13:00
  • We have adjusted permissions to require that all account administration task's, and enterprise level access, are handled by a single individual who has been with the company for several years, so the risk of this happening again is very low. Access is being issued to Resources on a need basis and credentials are removed after the work is done. Thank you for your suggestion. – Zyris Technology Team Nov 30 '09 at 04:18

2 Answers2

3

The only solution to any compromised system is a wipe and reload. It's not your system anymore - regardless of what scans are made.

Oskar Duveborn
  • 10,760
  • 3
  • 33
  • 48
  • We are currently running a check against users last backups to verify that there were no additional services/applications installed. If we find anything we will be doing what you suggest. – Zyris Technology Team Nov 29 '09 at 12:45
  • Sadly if the machine got infected, you're lucky to have detected parts of it at all. Normally, it's undetectable - hiding below the level where a system scan would reveal anything - you have absolutely no idea what else is on a compromised system, nor can you guarantee finding out. – Oskar Duveborn Nov 29 '09 at 15:28
  • Currently we are using the BackTrack security distribution to do file system checks and are flagging all files that are modified. In the event of any binary system files being modified that system will undergo a full re-image as per your suggestion. – Zyris Technology Team Nov 30 '09 at 04:20
  • Awesome. Though, does this BackTrack use the system itself to do the file checking? Because rootkits are known to modify the system on such a low level, that querying the file system will return fake data... ^^ – Oskar Duveborn Nov 30 '09 at 10:51
1

The solution has been found, it seems that the IT Technician that did the checks forgot to check if proxy settings were enabled.

Zyris Technology Team
  • 121
  • 2