santoso 7 Posted February 3, 2020 Posted February 3, 2020 Hello, We have Eset Endpoint Security installed in our network. Since January 30 It detected Win32/AutoRun.Agent.UD worm from folder sharing in PC and our WD My Cloud EX2 Ultra From dashboard - Firewall threat - Top sources of firewall detected events in last 7 days. only two IP appear, its our router and our WD My Cloud EX2 Ultra Can anyone know how to solved it by know who's pc was infected and spead it to our folder share in network Thank you,
Administrators Marcos 5,441 Posted February 3, 2020 Administrators Posted February 3, 2020 To start off, please gather logs with ESET Log Collector from the machine so that we get complete logs for perusal.
santoso 7 Posted February 3, 2020 Author Posted February 3, 2020 Hello Marcos, I send you private message fo log collector link Thank you,
itman 1,799 Posted February 3, 2020 Posted February 3, 2020 Here's Eset's write up on the worm: https://www.virusradar.com/en/Win32_AutoRun.Agent.UD/description . As noted in the article, the above worm creates the following additional worm malware on the targeted network: https://www.virusradar.com/en/Win32_AutoRun.Agent.TG/description and possibly, Win32/AutoRun.Agent.UB worm malware.
itman 1,799 Posted February 3, 2020 Posted February 3, 2020 (edited) On the EES installed device where Win32/AutoRun.Agent.UD is being detected, check if the worm has established persistence by modifying the following reg. keys per the linked Win32/AutoRun.Agent.TG article: Quote [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "%variable14%" = "%variable3%.exe" "%variable15%" = %temp%\%variable4%.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "%variable16%" = %variable6%.exe "%variable17%" = %temp%\%variable7%.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] "%variable18%" = "%variable7%.exe" "%variable19%" = "%temp%\%variable4%.exe" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "%variable20%" = "%variable6%.exe" "%variable14%" = "%temp%\%variable4%.exe" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "%variable12%" = "%variable3%.exe" "%variable16%" = "%temp%\%variable4%.exe" Edited February 3, 2020 by itman
itman 1,799 Posted February 3, 2020 Posted February 3, 2020 (edited) Malwaretips.com also has some additionally info on how this worm operates: Quote Worm:Win32/Autorun is a heuristic detection designed to generically detect a Worm. This family of worms spreads by copying itself to the mapped drives of an infected PC, including network or removable drives. When the worm runs on your computer, it enumerates all drives of your PC until a mapped drive is found. The worm tries to copy itself to the mapped drive. Worm:Win32/Autorun then writes an autorun configuration file named ‘autorun.inf’ pointing to the worm executable. When the removable or networked drive is accessed from a computer supporting the Autorun feature, the malware is launched automatically. https://malwaretips.com/blogs/remove-worm-win32-autorun-virus/ Based on the above, the worm is attempting to infect the device where Eset is detecting it. It also appears Eset is detecting the worm on the NAS storage if that is shown as D:/.......... in your Detection log screen shot. This would explain the repeated Eset detections on the endpoint where EES is installed. On the EES device, disable the Win Autorun/Autoplay feature and see it that stops Eset's detections on that device. Edited February 3, 2020 by itman
itman 1,799 Posted February 3, 2020 Posted February 3, 2020 (edited) Since your original question is what is attempting to write to your file share and NAS device, my best guess is the attacker is doing so remotely. Do you have RDP enabled on the file server or the endpoints? If so, the attacker could have done a brute force attack to gain logon credentials or may have gain those credentials by other nefarious methods. Ref.: https://attack.mitre.org/techniques/T1105/ Edited February 3, 2020 by itman
Most Valued Members Nightowl 206 Posted February 4, 2020 Most Valued Members Posted February 4, 2020 The worm is replicating itself from one of the computers or shares in the Network , ESET won't be able to remove it from the remote location , it will only be able to protect the computer that it's installed on You need to clean the worm from the infected PC/share , first of all you should disconnect it from the network to prevent it from keep trying replicate itself to others, then you try to clean it off and make sure the machine is fine and then you put it back to the network. santoso 1
itman 1,799 Posted February 4, 2020 Posted February 4, 2020 A very useful tool in diagnosing suspect auto run entries on a device is SysInternal's Autoruns utility which can be downloaded from here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns . It has a number of optional settings including having all entries scanned at Virus Total. Note that there are a few FPs in this utility when run on Win 10; namely flagging non-existent Win system processes for which registry entries exist. santoso 1
santoso 7 Posted February 10, 2020 Author Posted February 10, 2020 (edited) On 2/4/2020 at 5:50 PM, Rami said: The worm is replicating itself from one of the computers or shares in the Network , ESET won't be able to remove it from the remote location , it will only be able to protect the computer that it's installed on You need to clean the worm from the infected PC/share , first of all you should disconnect it from the network to prevent it from keep trying replicate itself to others, then you try to clean it off and make sure the machine is fine and then you put it back to the network. On 2/5/2020 at 3:07 AM, itman said: A very useful tool in diagnosing suspect auto run entries on a device is SysInternal's Autoruns utility which can be downloaded from here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns . It has a number of optional settings including having all entries scanned at Virus Total. Note that there are a few FPs in this utility when run on Win 10; namely flagging non-existent Win system processes for which registry entries exist. Thank you guys fo response I use wireshark, procmon, process explorer and still hard to know where is infected pc.😅 So, i decide to create folder sharing with permission for everyone then watch Eset endpoint - tools - network connection. Finally found it when there is connection to this pc use 445 port. Find that infected pc then install Eset and now our network clean again. Thanks, Edited February 10, 2020 by santoso
itman 1,799 Posted February 10, 2020 Posted February 10, 2020 (edited) 10 hours ago, santoso said: So, i decide to create folder sharing with permission for everyone then watch Eset endpoint - tools - network connection. Finally found it when there is connection to this pc use 445 port. Find that infected pc then install Eset and now our network clean again. Make that PC and anything else on your network has been patched against the SMBv1 protocol vulnerability: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 Ref.: https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/ Edited February 10, 2020 by itman
santoso 7 Posted February 11, 2020 Author Posted February 11, 2020 12 hours ago, itman said: Make that PC and anything else on your network has been patched against the SMBv1 protocol vulnerability: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 Ref.: https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/ Thank you for remind me this vulnerability and yes when i scan our network with this tools there is some pc with vulnerability status YES https://omerez.com/eternalblues/
itman 1,799 Posted February 11, 2020 Posted February 11, 2020 (edited) 6 hours ago, santoso said: Thank you for remind me this vulnerability and yes when i scan our network with this tools there is some pc with vulnerability status YES Actually, Eset also has one which I would trust as more reliable: https://help.eset.com/eset_tools/ESETEternalBlueChecker.exe Ref.: https://www.eset.com/us/about/newsroom/press-releases/eset-releases-eternalblue-vulnerability-checker-to-help-combat-wannacry-ransomware/ Edited February 11, 2020 by itman
santoso 7 Posted February 12, 2020 Author Posted February 12, 2020 15 hours ago, itman said: Actually, Eset also has one which I would trust as more reliable: https://help.eset.com/eset_tools/ESETEternalBlueChecker.exe Ref.: https://www.eset.com/us/about/newsroom/press-releases/eset-releases-eternalblue-vulnerability-checker-to-help-combat-wannacry-ransomware/ Yes Eset have that, but it must run on client computer one by one This one can check all vulnerable computer remotelyhttps://omerez.com/eternalblues/
itman 1,799 Posted February 12, 2020 Posted February 12, 2020 6 hours ago, santoso said: This one can check all vulnerable computer remotely I would be careful using this tool. Appears results are a bit ambiguous and can be misinterpreted: For example: Quote I do the scan wich work very well. Stupid question. The tool found 36 workstations with SMBV1 Enable but It’s say “NO (SMBv1 enabled), this mean that even if the workstation has the SMBv1 enable it is not exploitable? or just saying that in case of infection it can spread by this protocol? Thanks in advance Developer's response: Quote Not a stupid question at all. It means these hosts are *not* vulnerable to the EternalBlue vulnerability. However, SMBv1 is a very old protocol and likely to be exploited. So if possible, my recommendation will be to completely disable it. santoso 1
santoso 7 Posted February 14, 2020 Author Posted February 14, 2020 On 2/12/2020 at 9:02 PM, itman said: I would be careful using this tool. Appears results are a bit ambiguous and can be misinterpreted: For example: Developer's response: Thank you itman for warning me. will be careful next time Is there any tool or a way that we can scan our computer vulnerability in network without run one by one in each computer
Administrators Marcos 5,441 Posted February 14, 2020 Administrators Posted February 14, 2020 You can use nmap, see https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html santoso 1
Recommended Posts