Jump to content

Recommended Posts

Posted

Hello,

We have Eset Endpoint Security installed in our network.

Since January 30 It detected Win32/AutoRun.Agent.UD worm from folder sharing in PC and our WD My Cloud EX2 Ultra

2020-02-03_10-59-13.png.66b9dba3ddf0a0d5c1cbb1e53bb1415e.png

From dashboard - Firewall threat - Top sources of firewall detected events in last 7 days. only two IP appear, its our router and our WD My Cloud EX2 Ultra

Can anyone know how to solved it by know who's pc was infected and spead it to our folder share in network

Thank you,

  • Administrators
Posted

To start off, please gather logs with ESET Log Collector from the machine so that we get complete logs for perusal.

Posted

Hello Marcos,

I send you private message fo log collector link

Thank you,

Posted

Here's Eset's write up on the worm: https://www.virusradar.com/en/Win32_AutoRun.Agent.UD/description .

As noted in the article, the above worm creates the following additional worm malware on the targeted network: https://www.virusradar.com/en/Win32_AutoRun.Agent.TG/description  and possibly,  Win32/AutoRun.Agent.UB worm malware.

Posted (edited)

On the EES installed device where Win32/AutoRun.Agent.UD is being detected, check if the worm has established persistence by modifying the following reg. keys per the linked Win32/AutoRun.Agent.TG article:

Quote

[HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]

"%variable14%" = "%variable3%.exe"

"%variable15%" = %temp%\­%variable4%.exe

[HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]

"%variable16%" = %variable6%.exe

"%variable17%" = %temp%\­%variable7%.exe

[HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]

"%variable18%" = "%variable7%.exe"

"%variable19%" = "%temp%\­%variable4%.exe"

[HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]

"%variable20%" = "%variable6%.exe"

"%variable14%" = "%temp%\­%variable4%.exe"

[HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]

"%variable12%" = "%variable3%.exe"

"%variable16%" = "%temp%\­%variable4%.exe"

 

Edited by itman
Posted (edited)

Malwaretips.com also has some additionally info on how this worm operates:

Quote

Worm:Win32/Autorun is a heuristic detection designed to generically detect a Worm. This family of worms spreads by copying itself to the mapped drives of an infected PC, including network or removable drives.
When the worm runs on your computer, it enumerates all drives of your PC until a mapped drive is found. The worm tries to copy itself to the mapped drive. Worm:Win32/Autorun then writes an autorun configuration file named ‘autorun.inf’ pointing to the worm executable.
When the removable or networked drive is accessed from a computer supporting the Autorun feature, the malware is launched automatically.

https://malwaretips.com/blogs/remove-worm-win32-autorun-virus/

Based on the above, the worm is attempting to infect the device where Eset is detecting it. It also appears Eset is detecting the worm on  the NAS storage if that is shown as D:/.......... in your Detection log screen shot. This would explain the repeated Eset detections on the endpoint where EES is installed.

On the EES device, disable the Win Autorun/Autoplay feature and see it that stops Eset's detections on that device.

 

Edited by itman
Posted (edited)

Since your original question is what is attempting to write to your file share and NAS device, my best guess is the attacker is doing so remotely.

Do you have RDP enabled on the file server or the endpoints? If so, the attacker could have done a brute force attack to gain logon credentials or may have gain those credentials by other nefarious methods.

Ref.: https://attack.mitre.org/techniques/T1105/

Edited by itman
  • Most Valued Members
Posted

The worm is replicating itself from one of the computers or shares in the Network , ESET won't be able to remove it from the remote location , it will only be able to protect the computer that it's installed on

You need to clean the worm from the infected PC/share , first of all you should disconnect it from the network to prevent it from keep trying replicate itself to others, then you try to clean it off and make sure the machine is fine and then you put it back to the network.

Posted

A very useful tool in diagnosing suspect auto run entries on a device is SysInternal's Autoruns utility which can be downloaded from here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns . It has a number of optional settings including having all entries scanned at Virus Total.

Note that there are a few FPs in this utility when run on Win 10; namely flagging non-existent Win system processes for which registry entries exist.

Posted (edited)
On 2/4/2020 at 5:50 PM, Rami said:

The worm is replicating itself from one of the computers or shares in the Network , ESET won't be able to remove it from the remote location , it will only be able to protect the computer that it's installed on

You need to clean the worm from the infected PC/share , first of all you should disconnect it from the network to prevent it from keep trying replicate itself to others, then you try to clean it off and make sure the machine is fine and then you put it back to the network.

 

On 2/5/2020 at 3:07 AM, itman said:

A very useful tool in diagnosing suspect auto run entries on a device is SysInternal's Autoruns utility which can be downloaded from here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns . It has a number of optional settings including having all entries scanned at Virus Total.

Note that there are a few FPs in this utility when run on Win 10; namely flagging non-existent Win system processes for which registry entries exist.

Thank you guys fo response


I use wireshark, procmon, process explorer and still hard to know where is infected pc.😅

So, i decide to create folder sharing with permission for everyone then watch Eset endpoint - tools - network connection. Finally found it when there is connection to this pc use 445 port. Find that infected pc then install Eset and now our network clean again.

2020-02-10_18-08-33.png.cd63eeeb3fc0dc210a53a314cae29c9d.png

Thanks,

Edited by santoso
Posted (edited)
10 hours ago, santoso said:

So, i decide to create folder sharing with permission for everyone then watch Eset endpoint - tools - network connection. Finally found it when there is connection to this pc use 445 port. Find that infected pc then install Eset and now our network clean again.

Make that PC and anything else on your network has been patched against the SMBv1 protocol vulnerability: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

Ref.: https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/

Edited by itman
Posted
12 hours ago, itman said:

Make that PC and anything else on your network has been patched against the SMBv1 protocol vulnerability: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

Ref.: https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/

Thank you for remind me this vulnerability and yes when i scan our network with this tools there is some pc with vulnerability status YES

https://omerez.com/eternalblues/

Posted (edited)
6 hours ago, santoso said:

Thank you for remind me this vulnerability and yes when i scan our network with this tools there is some pc with vulnerability status YES

Actually, Eset also has one which I would trust as more reliable: https://help.eset.com/eset_tools/ESETEternalBlueChecker.exe

Ref.: https://www.eset.com/us/about/newsroom/press-releases/eset-releases-eternalblue-vulnerability-checker-to-help-combat-wannacry-ransomware/

Edited by itman
Posted
15 hours ago, itman said:

Yes Eset have that, but it must run on client computer one by one
This one can check all vulnerable computer remotely
https://omerez.com/eternalblues/

Posted
6 hours ago, santoso said:

This one can check all vulnerable computer remotely

I would be careful using this tool. Appears results are a bit ambiguous and can be misinterpreted:

For example:

Quote

I do the scan wich work very well. Stupid question. The tool found 36 workstations with SMBV1 Enable but It’s say “NO (SMBv1 enabled), this mean that even if the workstation has the SMBv1 enable it is not exploitable? or just saying that in case of infection it can spread by this protocol?
Thanks in advance

Developer's response:

Quote

Not a stupid question at all. It means these hosts are *not* vulnerable to the EternalBlue vulnerability.
However, SMBv1 is a very old protocol and likely to be exploited. So if possible, my recommendation will be to completely disable it.

 

Posted
On 2/12/2020 at 9:02 PM, itman said:

I would be careful using this tool. Appears results are a bit ambiguous and can be misinterpreted:

For example:

Developer's response:

 

Thank you itman for warning me. will be careful next time

Is there any tool or a way that we can scan our computer vulnerability in network without run one by one in each computer

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...