Security Incident Reponse / Trojan

Okay, I'm trying to figure this out to be a better IT Geek.

I get called to a client to check up on someone's computer that has been having problems. We had had one of our techs out here twice, etc., he ran the cheap suite of spyware tools (adaware, spybot) and cleaned some crap out.

Of course, that didn't work. So I get out here and I was able to find that it was infected with the Straterion Trojan which is a mail massing worm/virus. I was able to locate instructions in how to remove it and scanning back over to make sure its gone.

Now the second part of this is, the IP was added to the spamhaus lists because of this trojan, and it was even suggestted in the delist page that the trojan was responsible.

My question is, how would one analyze traffic, or see if that trojan is on any other computers and or sending data out that will get the company back on the blacklist. They use Trend Micro here, and that does NOT find it. I'm just wanting to make sure the infection is under control and locallized to one PC.

The thing is, I KNOW there is a way to monitor the data, and even be abel to find out which offending IP address is the culprit. I just don't know how.

Any veterans wanna tell me how?

Well, I'm no veteran, but I'll give it a shot. :)

This really varies depending on what's running at your site. Usually, outbound SMTP should only come from your mail servers. Clients themselves should not be sending any SMTP traffic. (This may vary at your site) So, check whatever appliance you use at your gateway for outbound SMTP coming from any IP except your mail servers. If client computers do indeed send SMTP normally, just look at the quantity of SMTP packets per internal IP. Infected machines will usually send more messages than a normal one.

I setup an entirely different NAT range using different external IP addresses for our mail servers. So, if an infected computer gets the public IP address put on a blacklist, email won't be affected.

By the way, reimage the infected computer. Once a trojan has been installed, you can never trust that computer again.

"By the way, reimage the infected computer. Once a trojan has been installed, you can never trust that computer again."

You are probably right on this, but being the tweaker type - I still love to track down the buggers.

Okay, that does make perfect sense on the SMTP traffic and rule sets. We run a Sonicwall at this site iirc.

Its kinda of funny, my company decided to take their mailserver, move it to our COLO behind our Baracuda when in fact the traffic that was getting this IP on the list was still coming from the LAN.

Ehh, I found some of the problems.

It wasn't a stmp type mailbot, but it would use outlook as an engine.

I guess I just gotta clean it up right and make sure there are no other affected computers.

Unless you're running the network on a hub, I don't think there's any way to monitor the network promiscuously. If you've got a proxy server you can load network monitor from the server cd and set it up to filter and log for that traffic. Sonicwall will also keep a log of the traffic, although I just took a look at the one we have (2040 pro) and it wasn't readily obvious how to do it.

edit
scratch that, network monitor isn't in the support tools, it's loaded as a windows component in the "Network Monitor Tools".

"It wasn't a stmp type mailbot, but it would use outlook as an engine."

Wow...that sucks.

Immortal Technique - Nice name! "Dance with the Devil" is the craziest song I've ever heard.

"Unless you're running the network on a hub, I don't think there's any way to monitor the network promiscuously."

He doesn't need packet captures, just IP/Port info on the border router/firewall.

"He doesn't need packet captures, just IP/Port info on the border router/firewall."

hmmm... and here I thought you could grab the port info from a packet capture... just checked and you can't, as far as I can tell.

"hmmm... and here I thought you could grab the port info from a packet capture... just checked and you can't, as far as I can tell. "

Yes, a packet capture does give you port information. He just doesn't need all the extra data that comes along with a capture.

Yeah since it uses outlook to send email it's more difficult to detect that if it were PCs establishing connections on port 25. If it were, a simple firewall rule could block it and also can likely be configured to send SNMP traps or emails when the rule gets tripped, and include the offending IP.

We do some passive network monitoring to watch for common indicators of virus procreation. i.e. ICMP activity, port scanning, typical host and service discovery type traffic. We basically just span the ports on our switches to a server (we actually have 6 servers) that examins the packets and recognizes common virus and/or trojan footprints.

Fin,

you are the local anti spyware guy, aren't you? I think I remember you posting a lot of general solutions for it in the past but I can't find it now. Never had any problems with this before but lately I'm getting some tracking cookies, some of which keep returning. Any tricks for me?

I almost exclusively use Firefox, aside from checking my hotmail once in a while (have even gotten a few tracking cookies in firefox but at least those won't come back if deleted). I use ZoneAlarm Pro as a firewall and am even running Pest Patrol from the start up.

does that company have a firewall?

control the outbound policy.

i once was called in to track down a spam zombie within a company subnet. i put in a outbound policy which i configured it to permit what is needed and denied all. plus logged all the deny. then you can see which IP address it is. once i found out the IP we tracked down the computer name. zapped it and done.

Ralphie's Shirt, no problem. I don't know the exact specifics but our
network has about 450 servers, about 1100 network devices, maybe
3000 or so desktops, 2000 printers and an unknown number of clinical
devices like CT machines, radiology imaging workstations, and god
knows what else. The network spans to roughly 60 geographical
locations with 2 data centers and one large closet that connects to
most of our remote sites.

I think we have 4 core layer 3 switches in our primary data center, 2 in
our backup data center, and one in our remote site closet. Each core
switch mirrors all it's data to 2 gigabit ports that feeds one of these
servers. The servers primarily store trend network traffic data. It breaks
down the traffic by application protocol, port, src, dst, etc, and we can
recall and slice it in just about any way we want. The application that
sorts all the data allows the network guys create threshold rules and
alarms for just about anything. So they've created some rules for
network % utilization, speed, standard deviations, and of course
common virus activity.

I don't think it helps much to prevent viruses since it all passive, but it
helps to detect them. Our network guys love it because whenever
someone says "It's the Network!" they now have a good tool show that
it's usually not.

If you're interested in implementing something like this look at a
product called Network Physics (http://www.networkphysics.com/).
That's what we use. It was started by two mathematicians and i think
they've created a pretty good product. They allowed us to trial it for
free for a couple months before we purchaced it.

Barts, you are not with CHS are ya?

That sounds alot like them.

bartos - Application performance analysis is something I've just started looking in to.  From their demo video, Network Physics looks bad ass!  What other products did y'all check out before deciding on NP?  Is there anything even close to this in the open source world?

 

Network Physics demo video:

http://www.networkphysics.com/public/secured/Intro_Demo_2006_03_23/Intro_Demo_2006_03_23.html

TTT for bartos

"What other products did y'all check out before deciding on NP?"

Sorry I didn't see this.

I recall sitting through several vendor demonstrations and for the most
part being unimpressed with nearly every one except network physics.
I believe SMARTS was one of the other demos. SMARTS is basically
active SNMP monitoring and didn't seem to do anything beyond HP's
Network Node Manager which we already have deployed. We've since
purchased Solar Winds and it's deployment is slow-going so far. Solar
Winds basically does the same thing as NNM too, SNMP polling, but
Solar Winds comes preconfigured for cisco networks. NNM is polling
over 1600 devices for ICMP and SNMP data with no performance
issues. Solar winds seems to be having performance issues already and
it's not fully deployed yet. But solar winds is cheaper and we may
deploy multiple collection stations to compensate and still save money.
In the end, there will only be Solar Winds or NNM for our active
network monitoring. I think NNM is better but maybe because i've been
using it for the past 4 years.