Endpoint Protection

Hello eveyone,
My server take attack by downadup
I add picture about it.
And my manager want to know why it take this attack?
This server have got last virus defitions and last windows updates.
I know there is a computer have got downadup and try to infected another computers. I try to find it but I couldn't. I looked target is local host. (Risk Tracert is already open)



This report is infected is 1. downadup copy itself. This is a file Server. Users can create a folders.
When I look Risk Report I saw this.






I must to explain this position to my manager. But i am not sure what will i say :(
Please tell me what is it and why happening?
Best Regards.
Fatih

I think this article will help you in this
Best Practice for Downadup.B and Additional information on the same. 

 Refer these articles also
How Symantec can help against Downadap, Kido and Conficker
Best practice to avoid spread of virus infection in network

since the threat is detcted is on p:/drive, i assume it is mapped drive. Hence there could be open share, which would have made threat to enter and SEP has stopped the infection being spreading as it has latest VD and microsoft pathch that takes care of.

TO ensure proper protection, refer the above articles ( mentioned above).

also disable autorun.inf, through GPO or SEP.

This also looks like it is a USB drive, please verify.

 I know the best ways to fight to downadup.
autorun.inf is already disable GPU and Symantec since June.
P drive is HDD in SAN and SAN and this server connect via fiber cable.
Can this scenario happen? the users plug in flash disk drive his cımputer and copy file to this Server's sharing folders.
In this time downadup get in and copy itself to server?

Here is Questions
1- How can i find this user (i don't know you is he now)
2- If this user's SEP client was stop somehow How does it stop? Because i have a password for stop service !
3- Ok users SEP stop anywise and downadup infected. But How it copy it self to this server ? Because This server'S Sep working.
4- Both of SEP stop in same time?

Thanks
Fatih

Try taking this report
1) Log in to the SEPM
2) Click on Monitors
3) Click on the Logs tab.
4) Select Log type as “Risk”
5) Click on “View Logs” button to generate log entries.
6) Click on the “Export” option and export the “Risk_reports.txt” to the computer.
7) Rename the “.txt” file extension to “.CSV”
8) Open the file with Microsoft Excel.

ref:Worms and threats that spread across networks by network shares have become more common in recent years.--Like Downadup/Conficker 

this report will tell you more

Check the event viewr of you DC(security log , failure audits)
 you could check the ad server for the ip address from security under event viewer the code should be 539, you could trace the malware from there. Hopes this help, closing the network port 445 and 139 will help but it will stop all sharing, which means printers and etc.
It will tell you from which system the attack is coming from
once you found it.
isolate it and I'm sure you know what to do with downadup :)

 Looks like the user has visited some compromised website..which in turn has tried to compromise this system with Downadup..

Clear browser Cache..Clear Recycle Bin..

@ AravindKM
 here is my server risk report.

Computer Name

Source

Risk Name

Occurrences

File Path

bay79

Manual Scan

W32.Downadup!autorun

1

//erpbyp/users/autorun.inf

Bay79 is client computer name. and //erpbyp is the file server. and users folder is share folder.
I saw this and go to client compuer and saw this

Event	Computer Name	Source	Risk Name	Occurrences	File Path	Actual Action
Virus found	bay79	Manual Scan	W32.Downadup!autorun	1	//erpbyp/users/autorun.inf	Left alone

but My antivirus and antispy policy is found a virus first action is delete second action is qurantine.
You can see pictures  for Client machine down.


This picture we can see Source computer is Local host but current location is diffrent place.

What does it mean? downadup is this client or server?

By the way, if i close sharing users cannot access ERP programme and folders. I cannot close sharing in this server :(
this server is mind and heart of this company.

Thanks.
Fatih

Source computer is BAY79 local host.
check the screen shot of my machine ( got infected once :) )
 c:\frm k*** \was my shared folder

ok we deal. source computer is BAY79 than
1- how downadup infected this computer?
2- why my sep block it before infected?
3-how it deploy itself to server?
4-Why server's Sep blok itself from downadup :(

I need answers this questions :( I have no idea what will I say to my manager :(

check what this is on bay79, shared folder?
erpbyp is shared folder correct/?

run a full scan on this folder.
seems like its spreading from here.
disable autorun too. 

bay79 havent got a shared folder. erpbyp is shared rigth.
i already disable autorun both GPO and SEP
I already start to scan and there is only cookie.
but buddy how i can explain my 4 questions anwers :(

For that even I dont have answers
all I can say is full scan is different from Autoprotect, virus missed from autoprotect will detected by full scan.

Hello again Rafeeq.
Sorry my working time was end that's why i couldn't answer to you fast. now i am at home.
I connect to server and here is scan result.


Scan 773.337 files but there is no downadup But i know it try to copy itself again. :(
This is very interesting.
What can we do?
and how sep or gpo missed autoprotect?
My manager is not in here (Turkey) but he will come next week and he will want some answers from me..

Thanks
Regards.
Fatih

is it resolved or still recurring? 

i know downadup is working inside somewhere.  for this server there is no attack yet.
but how i will be sure about tomorrow?
But i need some answers still.
how downadup can infected in this server? I looked infected time 15.12.09 00:08 but i look the Client Management => System Log and I did not see service is stoped.
well what happend? :(

 Do you have any scanning exclusions?
Whether network scanning is enabled?

A server with SEP or any AV installed will appear to be an infected host when end users have mapped drives.
For example:

- Workstation without AV and someone logs into it.
- The login script will map the users home drives etc. to the server.
- Then the virus will try and write itself to the server.
- The virus events will appear on the server but the path should be the users home drive (or other mapped drives).
- The virus events will have the users name

You need to get on the server and run the net session command to see where that end user is logged in from.
Keep in mind they might log in from more than one machine.

It is a pain but you just have to keep tracking these users/machines down.

@ aravindKM
Scan is full there is no exclusions.
Network scannins is disabled there is more network path.

@zer0
this is a file server and 550 ~ 650 users open their files. therefore there is so much result for net session.

Who can answe just this question?
How Downadup can infect to my server? Because It have Sep and latest definitons and windows updates?

I need answer for this qestion.

Thanks
Fatih

have anyone got a idea for how downadup can create a service?

Please guys give me a tecnical reason for this :(

do you see these symptoms

The worm may create the following files on removable and mapped drives:

  • %DriveLetter%\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\[...].[3 random characters]

  • %DriveLetter%\autorun.inf 

you rigth I saw
Exactly RECYCLERS
But i cannot delete it windows said it is used

Hello Rafeeq
What about Recyclers?
Thanks
Fatih

dont delete recyclers folder
do u see numbered folders inside them.

http://support.microsoft.com/kb/229041 

Go inside of that folders and see any exe files are present .If present delete them.For this
  Change the attributes using attrib command and try to delete.
  For example if you are having a file named text.exe give command as
  attrib -h -s -r test.exe
and then delete test.exe
 

try to update the windows, virus defintion and remove your computer from the network then perform full scan look how it goes

@Rafeeq
Hello again. I can go inside it. and there is only SID in there. there is no folder or exe in it.
@aravindkm (I know attirib buddy ;) )

@Peterpan
Hello peterpan This server is running 24/7 therefore ı cannot remove it network :(
But Bekir found something. One user write to this server. I found this user. And I am working on it.
I think so I will fix this problem :)

From the logs you have presented the server is NOT infected itself.
Its just the file share that the users are mapping to that is seeing infection events.

The best place to get more detailed reports is from the monitors section of the console.
- Log into the SEP console then go to Monitors > Logs > Risk Log
- Set the date range, eg. Past week
- Then click view log
 
In the top left hand corner of the report you can export the filtered information to a comma seperated text file which can be exported into excel and manipulated with a pivot table.
 
If you have risk tracer enabled you will be able to see the SOURCE_COMPUTER_NAME and SOURCE_COMPUTER_IP columns.
These should be the actual source of the infection and not just the server name of where SEP is installed.

Once you have identified systems that are potentially infected it is advised that you check that the SAV or SEP service is running and the newest definitions are loaded.
If you suspect the machine still has a virus please refer to the following article that explains how to do a full scan from safe mode with command prompt
 
How to perform a full virus scan while in safe mode with command prompt:
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d77f9ee39aac2ba7882574e80064e3fe?OpenDocument

 

Hello Fatih,

On your first post, on the last picture, I see a user name called "adem.yalniz". Check his computer, make sure whether there is a real infection. He might just be getting attacked and being protected by SEP. That would mean that there is a computer in the network without SEP installed on it, you may do an unmanaged computer search.

Please note that you may need to scan his computer in safe mode.

you save my life again Bekir. And you did it second time ! :)
Thank you for help. you rigth. the user name adem.yalniz was infected. i update to Mr5 and full scan. there is no new attack. I missed this user. Thank you for help my friend.
Have a nice day.

Fatih

Very good catch Bekir....good one in deed...:) 

anytime :)))

Hi everyone,

I've been solving virus infection problems since a long time, and W32.Downadup has a complete chapter. I've added a new article called (How to beat W32.Dowandup infections - Outbreak Scenario)

https://www-secure.symantec.com/connect/articles/how-beat-w32downadup-infections-outbreak-scenario

If you have any comments/issues you are welcome to speak