I love to talk about things which amaze me. so there was a situation, where a network admin was in a real panic state. He was seeing a very weird behaviour on few machines on the network. He was using SCEP which was detecting the malware as coinminer but as soon as it was getting detected,the infected files were coming back on it. So admin's statement to that was "it appears SCEP is not detecting or not able to clean it" . To be honest that's a statement you can make if you do not understand how threat detection works and how malwares work.
After looking at this behaviour, i pulled my favourite tools, one which does not need any installation "netstat -ano", that gave me all the incoming SMB(TCP 445) connections to this machine and obviously source machines as well. After i saw that , I used tool called network monitor( netmon 3.4 ) . I filtered the traffic for SMB traffic and could clearly see the IP address i saw in netstat -ano output sending SMB traffic and trying to create infection file in users profile folders, same locations admin was showing me where infection was coming back again after it was getting removed.
so I suggested them to take me to the machine which was sending this SMB traffic and trying to create these files. when we went there, we found SCEP was disabled. They had a group policy that disabled it, obviously it was not detecting and cleaning since it was not running at all. So i again used network monitor on this machine to analyse the behaviour of this machine. I ran following filter in netmon where filename.exe is the exe file this malware was trying to create on the target machine. here path is usual path this malware was trying to create these files on target machine.
SMB2.CCreate.Name == "ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\filename.exe"
The output of this in network monitor gave me list of other machines this malware was trying to infect from this machine, it was a huge list of machines. Admin used that list to check the status of SCEP on those machines and if they are detecting and cleaning on those machines. Meanwhile they also got this machine out of those GPOs which disabled SCEP on it.
so if SCEP was running as usual of this HUB of malware :), this issue would not have occurred at all. Even if we are seeing this behaviour where your AV is cleaning the malware and its coming right back. Its not the magical malware or some super malware which will come right back after it got cleaned. if its coming back like this obviously source is on the network. we have network protocols , which do certain things for us on the network. There are not too many protocols that do file access or share access on the network. in windows networks we have SMB protocol for share and file access and these are the protocols used by malware to create files in the shares to spread infections on the network.
In one scenario, admin was looking for containment method while he gets his infected machines cleaned using AV and his scenario i saw same method of file creation. one of the short term containment idea that i gave them was to stop inbound SMB traffic on these infected machines using windows firewall,using netsh command
"netsh advfirewall firewall add rule name ="block445in" protocol=TCP dir=in localport=445 action=block"
SMB may be required for GPO( to get RSOP reports) so you may want to revert this after you get back to normal but you can stop the spread using this idea.
I had another admin, who wanted to disable the NIC when their AV detects a malware(sounds paranoid, i know) , technically you can do that but it has challenges :)
Technique is simple , i have written a blog post sometime back to do few things based on event id : http://blogs.technet.com/b/sooraj-sec/archive/2013/05/03/generating-netstat-output-when-a-specific-event-occurs-in-the-eventlog-using-powershell.aspx
Get the VBS file as below
Step1 :Copy the contents of the script given in above post shown below in a notepad and save it as EvtMon.vbs and put this in a folder lets call it yourfolder e.g. in c:\yourfolder location
'======================================================================
' Print out the help when something is not typed in correctly or when
' nothing at all is typed in.
PublicSub PrintHelp
Wscript.Echo "Usage:"
Wscript.Echo " EvtMon EventNumber [LogFileDisplayName]"
Wscript.Echo " LogFile is optional. If used, the eventlog name"
Wscript.Echo " file ie, application, system, security, etc..."
EndSub
' Get the arguments. Check for event nubmer and log file as arugments
Set objArgs = WScript.Arguments
' See how many arguments we have and colect them.
if objArgs.Count < 1 OR objArgs.Count > 2 Then
PrintHelp
ElseIf objArgs.Count > 1 Then
EventNumber = objArgs(0)
LogFile = objArgs(1)
Else
EventNumber = objArgs(0)
LogFile = ""
EndIf
If EventNumber <> ""Then
strComputer = "."
' Attatch to the WMI Service
Set objWMIService = GetObject("winmgmts:{(Security)}\\"& _
strComputer & "\root\cimv2")
' if the LogFile is populated add this to our query. Create a
' Event Log monitoring object and send it a query.
If LogFile = ""Then
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("Select * from __InstanceCreationEvent Where " _
& "TargetInstance ISA 'Win32_NTLogEvent' " _
& "and TargetInstance.EventCode = '" _
& EventNumber & "'")
Else
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("Select * from __InstanceCreationEvent Where " _
& "TargetInstance ISA 'Win32_NTLogEvent' " _
& "and TargetInstance.EventCode = '" _
& EventNumber _
& "' and TargetInstance.LogFile = '" _
& LogFile & "'")
EndIf
' Create an object which returns when the next event occurs.
Set objLatestEvent = colMonitoredEvents.NextEvent
' Print some info based on the event log we encountered.
Wscript.Echo objLatestEvent.TargetInstance.User
Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
Wscript.Echo objLatestEvent.TargetInstance.Message
WScript.Echo objLatestEvent.TargetInstance.Logfile
Wscript.Echo
End If
Following batch file can block in bound and outbound SMB traffic along with above script, you need to give the event id that your AV generates when it detects malware, please see the link i gave above to check the command.
================================ you can copy it as 445-instop.bat from below=======================================================
@echo off
cscript //NoLogo EvtMon.vbs %2 %3
powershell.exe -command "& netsh advfirewall firewall add rule name ="block445in" protocol=TCP dir=in localport=445 action=block
powershell.exe -command "& netsh advfirewall firewall add rule name ="block445out" protocol=TCP dir=out remoteport=445 action=block
ping -n 1 4.3.2.1
goto :EOF
=======================================================================================
Following batch file along with the vbs script in my blog post can be used to disable NIC for a particular eventid(AV generates for detection).
challenge with following is, you need to know the name of the NIC to disable, so its practically its not a feasible option
===============================you can copy as NIC-disable.bat from below========================================================
@echo off
cscript //NoLogo EvtMon.vbs %2 %3
powershell.exe -command "& netsh interface set interface "Wi-Fi" admin=disable
ping -n 1 4.3.2.1
goto :EOF
===================================================================================
This paranoid approach , to be honest, in my opinion not very amazing even with windows firewall and blocking ports based on event id for malware detection because it will work for malwares for which your AV has signatures not for new variants. But if you want it done anyways, you can technically :).
Note for reader :I have e written this post in one single sitting and not much of editing done. I will do the editing in second sitting, i wanted to write is before i forget about it.