Currently using Palo Alto firewalls. Can you block access at your router then?
Posted 11 May 2018 - 01:32 PM
Currently using Palo Alto firewalls. Can you block access at your router then?
Posted 11 May 2018 - 01:38 PM
Posted 11 May 2018 - 01:56 PM
Ive looked on the routers and they dont appear to have the option to block IPs only domains, they are only basic Netgear routers, the only trouble since we arent very big weve not had the need for any enterprise equipment so struggling a bit now :-(
Have you considered swapping your consumer grade Netgear router for something a little more powerful, offering you some customization to your firewall rules? Even a small Ubiquiti Edgerouter will offer custom firewall settings and they are still under $100.
I think it's safe to say now that since blocking the IPs we discussed earlier and extensively cleaning my machines/servers, I haven't seen the infection popping up any more. Since we determined it was only spreading between domain connected PCs, I shut every machine listed in AD down and made sure they were clean 1-by-1. Symantec Endpoint did clean the malware and appears to be preventing re-infection.
Posted 11 May 2018 - 02:02 PM
Posted 11 May 2018 - 02:08 PM
I don't know how many machines you have, but one thing that may be simple, is to create you a hosts file to block these IP addresses, then add the hosts file into every computer. Use it like a block/redirect.
https://helpdeskgeek.com/how-to/block-websites-using-hosts-file/
Posted 11 May 2018 - 02:14 PM
Posted 11 May 2018 - 02:20 PM
Glad to help, and hopefully it will actually help. I would create the file and ping one of the bad IP addresses, and possibly run a tracert to that IP. Create your Hosts file with all the bad IP's resolving to wherever or to an IP that's 127.0.0.1 (localhost) and then run a tracert again to that same IP and make sure it is now being redirected. If it is still going through the same hops then it isn't working as intended. At that point, copy that file to the other machines, preferably through \\ComputerName\c$\WINDOWS\system32\drivers\etc. From there you could psexec (if installed) into it and see if it works. Trying to save you some leg work and possibly give you some peace of mind until you can possibly get in a better solution.
Posted 11 May 2018 - 02:26 PM
Posted 14 May 2018 - 02:48 PM
FYI: Running reports today I found a new folder name by the virus: \AppData\Roaming\wsxmail with the same tttvc.exe file.
Posted 14 May 2018 - 03:53 PM
Posted 13 June 2018 - 06:37 PM
For those of you who are getting re-infected: local accounts on your domain members. Check em. Secure em.
I've been tracking this thing on a customer's network for a little over a week now; looks like infection date was mid May. We are seeing all the inject.dll ( and associated files ) and the stcsvc.exe executable and also scheduled task creation which duplicates all the command files into %APPDATA% upon user login. A combination of ESET and MBytes seems to work well in cleaning it, but I'm still suspicious about what my svchost processes are trying to talk to ( use WFC and a good firewall to indulge this paranoia ). Sorry this is some sloppy shorthand but you probably know what I mean. Now for the meat:
If you're getting re-infected, check 2 things off your list as well:
1. If you've ever used the ole password reset trick where you replace utilman.exe with cmd.exe; FIX IT NOW. Even on server 2008R2 machines with NTLM authentication only, once this bug is on your LAN it will find this hole and stretch it to maximum.
2. Notice that if you run an windows domain, all your domain member servers still have local accounts on them, and those accounts are vulnerable Realize that default Microsoft GPO does not give you a way to centrally enable lockout policy on the local accounts. Find a way to lock those down. I suggest changing local account names to nonstandard names AND setting a lockout policy for local accounts. If you're only dealing with a few servers, you might as well do this by hand. If you're dealing with many more, look for a way to do it via PowerShell or custom GPO.
Hope my two cents helps somebody. Thanks for posting about your various experiences. I thought I was crazy when I saw this thing. Had never heard of it before a couple of weeks ago.
PJ
Posted 15 June 2018 - 01:48 PM
I'm uploading a copy of what I believe is an example of this infection ...
See the submission portal.
Thanks!
0 members, 1 guests, 0 anonymous users