Author Topic: Network Worm Signs, Identification, Protection, and Removal  (Read 2547 times)

Offline NetFX

  • Newbie
  • *
  • Posts: 1
Hello, this is my first post on the forum, just like to take the time to say.., CIS is Amazing software absolutely first rate. To the business of this post....

I have been monitoring high volumes of intrusion attempts from hackers, ranging from man-in-the-middle attacks (ARP Poisoning) and mySQL injections to full on virus, trojans, and network worms. I have reported it to service providers but alas I fear I may not be catching everything that has snaked its way into the LAN.

Overview: System Specs: Windows 7 Ultimate x64 Edition x 3 PC's on a Bridged Router/Modem combo. Disabled the vast majority of services that are un-required not needed as well as adjusting Local Security Policies as best I can, without sacrificing user capability.

Currently I have been availing myself of CIS Defense+ and have identified numerous PID's as well as Ports that i believe maybe related to an as yet uncharted Network Worm. CIS Defense only caught bits of it as I was deleting partitions it flagged several .exe's in the D:\$recycle.bin\(Reg Key#'s\$idepius.exe. (Or something similar.)  After doing some research online I turned off system restore. But am still seeing some sort of XML activity suggesting local security settings and restricted registry entries are being modified along with control sets for applications showing up in common files folder, temp folders application data folders and system32 folder.

I have also been monitoring large amounts of Protected COM access, system certificate modifications, and many many other suspect process's that I do not initialize nor necessarily can stop. I have successfully stealth-ed my ports, but have some lingering questions. (Please keep in mind I have Formatted and Re-Installed my OS.)

Much of the outgoing traffic being monitored is svchost.exe but mulitple PID's on ports 80,443,1900,5000,5355 and more... Is there a way to utilize CIS Defense to filter multiple PID's of the same .exe??? When I add the svchost.exe from the running process list it will not add another, or is it sufficient to simply add more rules restrictions and parameters to the same PID? (This does not seem to work might just be me.)

Also I have noticed regardless of the global rules added to the firewall security policies and defense settings are being circumvented through RPCSS and Protected COM interfaces and API  even a fake CIS update and windows update have been attempted here.) So is there a means of refining restrictions to these services through use of the DCOM SDDL Syntax?? If so can someone point me to a reference manual or guide on how to set these settings effectively?

Also I have seen a rather huge amount of Multi-Cast Address's sending and receiving packet information, Again I require guidance as how to most effectively adjust CIS to filter the undesirable address's leaving only what is absolutely essential. (A guide or refrence, rule of thumb, or any other suggestion that someone has for similar issues would be of great use. Currently I have flat out blocked ICMP, IGMP, GRE etc. But understand I am blocking some legitimate packets as well.)

I also suspect ngen has left vulnerabilities in such environments exposed to such attacks, as my hardware precludes the use of the TPM, bitlocker is not an option for me. Are there any other resources I might avail myself of that are similar?

I have found the vast majority of attacks that I have been suffering from stem from online gaming services, where the admins are misusing there authority to gain access and infect PC's. It is also suspect that partially due to holes in the monitoring of dedicated hosts using newer cloud computing resources have left vulnerabilities that make people susceptible to such attacks.

At any rate I shall leave it there for now as I have many more questions and would love some feedback on any of these topics. Thank you for your time and apologies for the length of this post.

Offline jay2007tech

  • Malware Research Group
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1999
Re: Network Worm Signs, Identification, Protection, and Removal
« Reply #1 on: June 11, 2012, 03:54:39 AM »
1)  You can switch to a more secure dns then the ones your ISP provides
https://www.comodo.com/secure-dns/

Quote
Is there a way to utilize CIS Defense to filter multiple PID's of the same .exe??? When I add the svchost.exe from the running process list it will not add another, or is it sufficient to simply add more rules restrictions and parameters to the same PID? (This does not seem to work might just be me.)
https://forums.comodo.com/news-announcements-feedback-cce/comodo-cleaning-essentials-24225190192-released-t82013.0.html
You can inspect it with cce

Quote
I require guidance as how to most effectively adjust CIS to filter the undesirable address's leaving only what is absolutely essential.
http://www.peerblock.com/
That should be a good start
Quote
I have found the vast majority of attacks that I have been suffering from stem from online gaming services, where the admins are misusing there authority to gain access and infect PC's
Are the gaming servers official ones??  If not, there's not much you can do because they have been given access. 

If you want to block ip address ranges
Click on "firewall"
Click on "Network Security Policy"
Click on "Global Rules"
« Last Edit: June 11, 2012, 03:56:54 AM by jay2007tech »
It's hard being a crooked Admin when the files won't pass an md5checksum test.  But like any other good crooked Admin it can be done, it just takes time(and lots of it) and a few aspirins

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek