DHCP 188.229.89.121 8.8.8.8 Virus
Closed     Case # 10054     Affiliated Job:  New Trier Township District 2031
Opened:  Wednesday, September 7, 2011     Closed:  Wednesday, September 7, 2011
Total Hit Count:  20847     Last Hit:  Saturday, December 21, 2024 10:59:51 PM
Unique Hit Count:  5858     Last Unique Hit:  Saturday, December 21, 2024 10:59:51 PM
Case Type(s):  Helpdesk, Network
Case Notes(s):  All cases are posted for review purposes only. Any implementations should be performed at your own risk.

Problem:
Yesterday we noticed that there was some other device on our network operating as a DHCP server. This of course was interfering with valid DHCP requests and intelligently - this new device had all the properties of that VLAN except the DNS was being pointed to either 188.229.89.120 or 188.229.89.121, the "DHCP Server" on an IPCONFIG /ALL reported to us the device posing as a DHCP server and we later came to find a unknown virus had infected the machine and switched it's DNS hard coded to 8.8.8.8, essentially removing it from our A.D. DNS dependent network.

The effects we have come to find are as follows:
-   Infected machine operates as a DHCP server
   o   It's LAN adapter has a statically assigned DNS server of 8.8.8.8
   o   Performing a "NETSTAT -NA" in a command prompt will indicate a line with "UDP <IP>:67", this is indicating the system is operating as a DHCP server
-   System on the same VLAN as the Infected machine
   o   If it obtains a DHCP assigned configuration from the infected machine then, it's DNS is set to 188.229.89.121
   o   The DHCP Server IP address listed, when you perform a IPCONFIG /ALL from a command prompt, indicates it received the DHCP configuration from an infected system
   o   Any web page opened, redirects over to http://188.229.89.121 where the user is directed to install an update
   o   After installation, the system becomes infected and the chain continues
-   This does not appear to affect wireless adapters, only Local Area Network adapters
-   It does not appear to traverse VLANs (DHCP Relays would need configured), except in our case an infected laptop was brought into another network
-   We have seen this now on both Windows XP and Windows 7 laptops and desktops
-   The virus appears to delete or corrupt the Master Boot Record
-   The virus also starts the Remote Access Connection Manager & Telephony services and creates a service labeled SRVBB + some #s
-   Effects might appear as long login times, no mapped drives, unable to access intranet sites, unable to access Outlook or internal email


Action(s) Performed:
Total Action(s): 1
Action # Recorded Date Type Hit(s) User Expand Details
10185 9/8/2011 9:53:01 AM Network 3317 contact@danieljchu.com Some sample illustrations of the Virual Effects are shown below. Viru  Collapse ...
Last Hit: Saturday, December 21, 2024 2:01:21 PM

Some sample illustrations of the Virual Effects are shown below.

Virus Infected System:







Client Getting DHCP from Infected System:


Microsoft ForeFront Antivirus Protection 2010:

Resolution:
What we have done to attempt to diagnose these issues:
-   In our ASA, we have denied access to 188.229.89.121 to prevent further infestation
   o   access-list internal_out extended deny tcp any host 188.229.89.121
-   We have also created a capture on the ASA to monitor for any DNS request outbound to 8.8.8.8 (Infected machines)
   o   access-list monitor_djc_al permit tcp any host 8.8.8.8 eq domain
   o   access-list monitor_djc_al permit udp any host 8.8.8.8 eq domain
   o   capture monitor_djc_cap access-list monitor_djc_al interface inside
   o   show capture monitor_djc_cap or https://<ASA IP>/capture/monitor_djc_cap/
-   In addition, we are capturing any request to 188.229.89.121
   o   access-list monitor_djc02_al permit tcp any host 188.229.89.121 eq domain
   o   access-list monitor_djc02_al permit udp any host 188.229.89.121 eq domain
   o   access-list monitor_djc02_al permit tcp any host 188.229.89.121 eq www
   o   capture monitor_djc02_cap access-list monitor_djc02_al interface inside
   o   show capture monitor_djc02_cap cap or https://<ASA IP>/capture/monitor_djc02_cap/


Remote diagnosis of a machine found in the capture above can be achieved on a Windows XP using telnet:
-   Open services.msc on a remote machine - enable the telnet service
-   Telnet to the remote machine
-   At the command line review IPCONFIG /ALL
-   At the command line review NETSTAT -NA
-   When finished, stop & disable the telnet service


Big question, how to remove - we have not yet discovered a method of removal, twice, when I installed Forefront or ran a Forefront scan - the system would blue screen. We are running other types, such as MRT or Malwarebytes to see if the removal is more seamless; however, in our environment it would seem we have caught it at an early stage and therefore plan to reimage the infected machines.

UPDATE: Microsoft Forefront now detects this as the "VirTool:Win32/Injector.gen!BS" with a published release on 9/7/2011, yesturday!



Profile IMG: Footer Left Profile IMG: Footer Right