Moneesh
-
Posts
15 -
Joined
-
Last visited
Kudos
-
Moneesh gave kudos to itman in Frequently receiving notification of blocked website
Make sure you create an Eset firewall to block outbound C:\Windows\SysWOW64\dllhost.exe traffic as you did for the Win firewall. Set the logging level to warning. Then periodically monitor the Eset Networking log for any entries related to dllhost.exe. If no log entries appear after a few days, then we can safely assume the TinukeBot trojan has been removed.
You need to create the Eset firewall rule since Eset disables the Win firewall.
-
Moneesh gave kudos to stackz in Frequently receiving notification of blocked website
Here's the fixed link to the tool.
ftp://ftp.nod.sk/samples/svchecker/ESETSysVulnCheck.exe
-
Moneesh gave kudos to itman in Frequently receiving notification of blocked website
Possible but doubtful. I suspect the attacker switched to a URL not currently blacklisted by Eset.
Modify the firewall rule you created to block inbound and outbound activity for C:\Windows\SysWOW64\dllhost.exe instead of the previous IP address. As far as I am aware of, this process should never perform any Internet activity. Assuming you are using the Win firewall, check its firewall log for blocked dllhost.exe connections.
-
Moneesh gave kudos to itman in Frequently receiving notification of blocked website
As posted above, here's the download link: ftp://ftp.nod.sk/samples/svchecker/ESETSysVulnCheck.exe
Right click on the downloaded file and run it as administrator. It will create a zipped file in your Downloads folder. Attach that to your reply.
After seeing you are still vulnerable to the EternalBlue exploit, I am "bowing out" from any further replies.
-
Moneesh gave kudos to itman in Frequently receiving notification of blocked website
As far as the TinukeBot trojan, Symantec has a write up on it dating to 2017. It is a backdoor and probably what is establishing the remote C&C connection. That variant was run via:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"" = "%AppData%\[RANDOM NUMBERS FOLDER NAME]\[RANDOM NUMBERS FILE NAME].exe"
So it might be worth a look at the registry run keys; especially the HKEY_CURRENT_USER ones.
-
Moneesh gave kudos to itman in Frequently receiving notification of blocked website
Pretty sure this is the bugger: https://www.virusradar.com/en/Win32_Tinukebot.B/description since its using dllhost.exe:
And again, starts from:
-
Moneesh gave kudos to itman in Frequently receiving notification of blocked website
This is interesting. The IP address, 51.15.90.178, associated with the URL blacklisted is in Paris, France and appears to be associated with a gov. web site; UK Government Department for Work and Pensions. A UK gov. web site hosted in France?
In any case, a web connection from C:\Windows\SysWOW64\dllhost.exe definitely is not normal. For the time being, you could create an firewall rule to block all TCP/UDP traffic inbound/outbound for IP address 51.15.90.178. Once it is determined what is causing the dllhost.exe traffic, you can delete the firewall rule.