Malwarebytes deployment
-
Key Keeper
- Posts: 1564
- Joined: Sat Oct 30, 2004 12:17 pm
- Location: Austin TX
Malwarebytes deployment
An old trojan has surfaced and has managed to replicate itself network wide randomly. Need to know if there is a general tool deploy across our network machine wide to remove this damn thing to avoid doing it manually on each machine. Its called generic.dx. There's a ton out there on it but didnt see anything that could be deployed like a forced patch to delete this thing.
[email="chevelle.h@gmail.com"][color="red"]MAIL[/color][/email]
-
FlyingPenguin
- Flightless Bird
- Posts: 33161
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
That's just a generic name that an anti-malware product will give to something when it doesn't know what it is. It's probably a heuristic detection, so unless you get a more specific ID on the malware, there's no one specific fix for it I can recommend.
How big a network? I generally only deal with small business networks under 12 PCs so individuall cleaning PCs is not that big a deal for me. There are corporate AV solutions that give you the ability to perform network deployments, but they aren't cheap.
First of if this is spreading via the network you need to make sure ALL the PCs are fully patched (windows update, Adobe Reader & Acrobat, Flash, Java). Nothing should propagate via the network unless: a) there's a known unpatched expoit, b) there's an unknown (zero day) exploit, or c) people are being stupid and sharing an infected file and everyone is opening it.
Right now the biggest exploit vector is Adobe Reader, Acrobat and Flash. All PCs should be running the latest version of Reader or Acrobat which is 9.4. All XP PCs have to be running Service Pack 3 or they are wide open to several exploits (SP2 and earlier is no longer supported via Windows Update). All Vista PCs need to be running Service Pack 2 (Vista service Pack 1 and earlier is no longer supported via Windows Update).
Since this seems to be propagating via the network, all infected PCs need to be disconnected from the network until they're cleaned.
The following usually works with most run of the mill malware: Download the following tools to a flash drive and run them in this order to clean the infected PCs (and it wouldn't hurt to run this on ALL the PCs):
- [url=http://support.kaspersky.com/viruses
/solutions?qid=208280684]Kaspersky TDSSKiller[/URL]
- Trojan Remover
- Malwarebytes Anti-Malware
Other recommendations to secure the network from future attacks:
- Enable the Windows Firewall on ALL PCs (this is your front line defense against a network propagating virus).
- Disable Autoplay for removable drives (you can Google for how to do this). Infected Flash drives are a prime infection vector in an office, and there is no good reason for autoplay on a flash drive.
- Do not allow employees to use social networking sites at work ESPECIALLY Facebook. Facebook should NEVER be allowed on an office network. You can use OpenDNS to block sites on your network (either specific URL black lists or general blacklists like "All social networking sites"). I'd say 50% of malware on office PCs nowadays is through Facebook. Not that Facebook itself is evil, but it encourages risky behavior. People who would never dream of clicking on a link in an unsolicited email will click on a link from a friend in Facebook never considering that his friend may have gotten hacked, or that some friend may have given a 3rd party permission to post on their behalf. It's a dangerous quagmire. Facebook is being used a LOT for targeted attacks on businesses.
- Use Firefox if possible instead of Internet Explorer
- While I am a firm believer in free AV apps, if this is a large network (over 15 users) I would recommend a corporate AV app with centralized administration. Hands down the best one out there is Kaspersky: http://usa.kaspersky.com/downloads/free ... e-security
Hope this helps.
How big a network? I generally only deal with small business networks under 12 PCs so individuall cleaning PCs is not that big a deal for me. There are corporate AV solutions that give you the ability to perform network deployments, but they aren't cheap.
First of if this is spreading via the network you need to make sure ALL the PCs are fully patched (windows update, Adobe Reader & Acrobat, Flash, Java). Nothing should propagate via the network unless: a) there's a known unpatched expoit, b) there's an unknown (zero day) exploit, or c) people are being stupid and sharing an infected file and everyone is opening it.
Right now the biggest exploit vector is Adobe Reader, Acrobat and Flash. All PCs should be running the latest version of Reader or Acrobat which is 9.4. All XP PCs have to be running Service Pack 3 or they are wide open to several exploits (SP2 and earlier is no longer supported via Windows Update). All Vista PCs need to be running Service Pack 2 (Vista service Pack 1 and earlier is no longer supported via Windows Update).
Since this seems to be propagating via the network, all infected PCs need to be disconnected from the network until they're cleaned.
The following usually works with most run of the mill malware: Download the following tools to a flash drive and run them in this order to clean the infected PCs (and it wouldn't hurt to run this on ALL the PCs):
- [url=http://support.kaspersky.com/viruses
/solutions?qid=208280684]Kaspersky TDSSKiller[/URL]
- Trojan Remover
- Malwarebytes Anti-Malware
Other recommendations to secure the network from future attacks:
- Enable the Windows Firewall on ALL PCs (this is your front line defense against a network propagating virus).
- Disable Autoplay for removable drives (you can Google for how to do this). Infected Flash drives are a prime infection vector in an office, and there is no good reason for autoplay on a flash drive.
- Do not allow employees to use social networking sites at work ESPECIALLY Facebook. Facebook should NEVER be allowed on an office network. You can use OpenDNS to block sites on your network (either specific URL black lists or general blacklists like "All social networking sites"). I'd say 50% of malware on office PCs nowadays is through Facebook. Not that Facebook itself is evil, but it encourages risky behavior. People who would never dream of clicking on a link in an unsolicited email will click on a link from a friend in Facebook never considering that his friend may have gotten hacked, or that some friend may have given a 3rd party permission to post on their behalf. It's a dangerous quagmire. Facebook is being used a LOT for targeted attacks on businesses.
- Use Firefox if possible instead of Internet Explorer
- While I am a firm believer in free AV apps, if this is a large network (over 15 users) I would recommend a corporate AV app with centralized administration. Hands down the best one out there is Kaspersky: http://usa.kaspersky.com/downloads/free ... e-security
Hope this helps.
---
“The Government of Spain will not applaud those who set the world on fire just because they show up with a bucket.” - Prime Minister of Spain, Pedro Sánchez
“The Government of Spain will not applaud those who set the world on fire just because they show up with a bucket.” - Prime Minister of Spain, Pedro Sánchez
-
Key Keeper
- Posts: 1564
- Joined: Sat Oct 30, 2004 12:17 pm
- Location: Austin TX
Deployed MSRT through bat file. Probably around 200 machines give or take a couple. Someone clicked on something and it was bouncing around randomly. All streaming/flash/social net sites are blocked "surf control"...Seems to be taken care of now, thanks FP, always very informative. I thought it might have been me that started it LOL. DL a fun little "tool" and then this mess started but my box was clean so was someone else.
[email="chevelle.h@gmail.com"][color="red"]MAIL[/color][/email]
-
FlyingPenguin
- Flightless Bird
- Posts: 33161
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact: