Endpoint Protection

 View Only

  • 1.  Rogue DHCP server problem

    Posted Jun 22, 2011 04:40 PM

    I have a very strange problem that has me stumped. I have been trained and am very good with virus removal. I have strong knowledge and understanding of many different tools.

    The problem at hand is a laptop on our system was recently infected with one of the new Rogue Windows Security 2011 variants. Using a series of tools, TDSSKiller, Malwarebytes, Autoruns, Process Explorer, RootRepeal and HiJack This the system appears to be clean. However, when I put this laptop back on the network all users that are using DHCP get redirected to red police icon web browser not supported message.

    IPCONFIG /all shows 10.10.10.121 as DHCP server when our DHCP server address is 10.10.10.252.

     

    The 10.10.10.121 belongs to the laptop that was infected. So I go on to run the DHCP Finder tool and it shows a rogue DHCP server at 10.10.10.121. If i take the laptop off the network everything works as it should. No users have problems.

    What I don't get is, when I bring the laptop back to my office with IP 10.10.1.x the laptop works fine. It picks up a valid address from our DHCP server here and everyone else connects fine. No rogue DHCP servers found??????

    What am I missing?

    I'd also like to add that since adding it to the network here the Client Management logs are clean, nothing is logged. But the following are from when it was plugged into the network at the other office:

     

    573 6/21/2011 1:25:26 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.25 00-00-00-00-00-00 10.10.10.121 00-26-2D-FC-FC-7C C:\WINDOWS\system32\ntoskrnl.exe Guy REMAX Default 1 6/21/2011 1:24:24 PM 6/21/2011 1:24:24 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    574 6/21/2011 1:25:48 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.26 00-00-00-00-00-00 10.10.10.121 00-26-2D-FC-FC-7C C:\WINDOWS\system32\ntoskrnl.exe Guy REMAX Default 1 6/21/2011 1:24:46 PM 6/21/2011 1:24:46 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    575 6/21/2011 1:26:49 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.72 00-00-00-00-00-00 10.10.10.121 00-26-2D-FC-FC-7C C:\WINDOWS\system32\ntoskrnl.exe Guy REMAX Default 1 6/21/2011 1:25:48 PM 6/21/2011 1:25:48 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    576 6/21/2011 1:28:35 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.127 00-00-00-00-00-00 10.10.10.121 00-26-2D-FC-FC-7C C:\WINDOWS\system32\ntoskrnl.exe Guy REMAX Default 1 6/21/2011 1:27:34 PM 6/21/2011 1:27:34 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    577 6/21/2011 1:55:27 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.25 00-00-00-00-00-00 10.10.10.121 00-26-2D-FC-FC-7C C:\WINDOWS\system32\ntoskrnl.exe Guy REMAX Default 1 6/21/2011 1:54:24 PM 6/21/2011 1:54:24 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    578 6/21/2011 1:55:50 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.26 00-00-00-00-00-00 10.10.10.121 00-26-2D-FC-FC-7C C:\WINDOWS\system32\ntoskrnl.exe Guy REMAX Default 1 6/21/2011 1:54:46 PM 6/21/2011 1:54:46 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    579 6/21/2011 1:56:51 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.72 00-00-00-00-00-00 10.10.10.121 00-26-2D-FC-FC-7C C:\WINDOWS\system32\ntoskrnl.exe Guy REMAX Default 1 6/21/2011 1:55:49 PM 6/21/2011 1:55:49 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    580 6/21/2011 1:58:37 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.127 00-00-00-00-00-00 10.10.10.121 00-26-2D-FC-FC-7C C:\WINDOWS\system32\ntoskrnl.exe Guy REMAX Default 1 6/21/2011 1:57:34 PM 6/21/2011 1:57:34 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    581 6/22/2011 1:16:34 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.25 00-00-00-00-00-00 10.10.10.81 00-26-2D-FC-FC-7C Guy REMAX Default 1 6/22/2011 1:15:28 PM 6/22/2011 1:15:28 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    582 6/22/2011 1:17:57 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.72 00-00-00-00-00-00 10.10.10.81 00-26-2D-FC-FC-7C Guy REMAX Default 1 6/22/2011 1:16:52 PM 6/22/2011 1:16:52 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    583 6/22/2011 1:18:59 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.105 00-00-00-00-00-00 10.10.10.81 00-26-2D-FC-FC-7C C:\WINDOWS\system32\ntoskrnl.exe Guy REMAX Default 1 6/22/2011 1:17:56 PM 6/22/2011 1:17:56 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    584 6/22/2011 1:19:38 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.127 00-00-00-00-00-00 10.10.10.81 00-26-2D-FC-FC-7C C:\WINDOWS\system32\ntoskrnl.exe Guy REMAX Default 1 6/22/2011 1:18:37 PM 6/22/2011 1:18:37 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    585 6/22/2011 1:46:34 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.25 00-00-00-00-00-00 10.10.10.81 00-26-2D-FC-FC-7C Guy REMAX Default 1 6/22/2011 1:45:30 PM 6/22/2011 1:45:30 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     
    586 6/22/2011 1:47:58 PM Intrusion Prevention Critical Outgoing TCP 10.10.10.72 00-00-00-00-00-00 10.10.10.81 00-26-2D-FC-FC-7C Guy REMAX Default 1 6/22/2011 1:46:54 PM 6/22/2011 1:46:54 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
     


  • 2.  RE: Rogue DHCP server problem

    Posted Jun 22, 2011 04:57 PM

    Can you double check whether your systems are having the OS patch 958644 installed?



  • 3.  RE: Rogue DHCP server problem

    Posted Jun 22, 2011 05:17 PM

    You never stated what AV and version you have installed.

    The question is, do you really want to spend more time cleaning this system? You might be better off wiping the drive. If you want to continue fighting this, try running the Power Eraser tool.

    http://www.symantec.com/business/support/index?page=content&id=TECH134803&locale=en_US

    If that fails, you might also try the GMER rootkit remover.



  • 4.  RE: Rogue DHCP server problem

    Posted Jun 23, 2011 12:23 AM

    I've used TDSSKiller, GMER, Autoruns, Process Explorer, HiJackThis, Malwarebytes and SEP full scan. The original infections appeared to be gone but clearly something isn't. What doesn't make sense is when I move the system to a different network, the problem doesn't reappear.

    Version is 11.05 I believe, Symantec Endpoint Protection managed clients. I am considering wiping the drive but what has caused me to delay that is bringing it to my office and connecting to the network I can't get the problem to reappear so i'm wonder if this system is not the problem even the though Rogue DHCP finder clearly pointed to this laptop.

    I will make sure the patch is on the other systems.



  • 5.  RE: Rogue DHCP server problem

    Posted Jun 23, 2011 10:27 AM

    I've used the Norton Power Eraser and on 2 different systems it does show autorun.inf as bad on 3 mapped drives? Can I exclude this as a false negative I'm wondering?