Replies

The cloned machine has inherited the MAC address of the original NIC. You can check this by ipconfig /all or by looking at the event logs.

Your router will attempt to route packets by MAC address not IP address, so when it sees two devices with the same MAC address it cannot route correctly.

Change the MAC address of the clone and update the routing table in the router and it should be OK.

A quick lookup shows click.linksynergy operates from an Apache webserver:

35294-linksynergy

MagicSpeller: do you have Bot Revolt on the machine?

You have a tab open in Firefox that shows “Bolt Revo…”, which could be Bolt Revolt – an antimalware offering that I’ve not come across before.

It’s a bit of a leap in the dark, but could that application be part of the issue – redirecting what it considers to be a bad site (the clik.linksynergy advert) to 127.0.0.1, which happens to be the local IIS webserver…which would map to c:inetpubwwroot as suggested above?

A few things to think about:

Assuming this is a Server-Client network running Active Directory etc, and the users have roaming profiles set to point to the server….

Can the affected user log into a different machine and do they suffer the same corruptions then or are they able to run the database application OK?

Does a “clean” user experience problems if the log into the “bad” machine?

In other words does the error follow the user or is it unique to the host? If the host think about the database application (maybe Office, or some other?) could a repair of that help? If the user, is their profile corrupt?

Another thought, is the database the only application that experiences these corruptions? Can the User read and write large random files into that network share reliably. Create a large random file, and run a set of read/write tests.

The drive space clean-up could of course have damaged something with roaming profiles, but impossible to tell from afar. Nonetheless 1.5GB sounds a very small amount of space left.

I’d like to see/know if Returnil, DeepFreeze, SteadyState and other programs of such ilk stop this. I know they would easily give the virus itself the boot but I’m wondering if it can do it’s damage while it exists.

Yes they will return the machine to a known stable condition. However, they won’t protect your data.

If the payload is active, your data is encrypted and returning the machine to a default state will not decrypt the data. Currently, the only mechanism to recover your data from a crypto locker infection is by paying the ransom or reverting to an offline backup (after a successful clean-up process).

This is true not just for Windows machines, but for any device that holds data which can be accessed by a mapped network drive – Apple Mac’s, NAS, SAN, Linux boxes, File servers etc. are all at risk if they hold data accessible by a Windows machine under threat.

Presently, the proprietary formats often used by imaging software are not attacked by crypto locker, so a device that contains these backups can be left connected to an attacked machine. I wouldn’t use that as long term mitigation though: it is likely that the threat will develop to attack these files too.

Yes it should work, but if these machines are not networked, how will they receive the email and how can you be certain the patch has been deployed?

Remember that these software restriction policies are only a temporary block and the threat will likely morph to execute from other locations. In addition to the restriction policies, educate users not to click on things they shouldn’t, deploy proxies and web filtering to prevent access to unnecessary resources and ensure robust and non-local backups are kept and tested.

I’ve deployed software restriction policies via GPO (very similar to the CryptoPrevent utility link above) to the hosts on our mixed XP/Win7 network and verified that applications launched from those locations are blocked.

Next thing I want do is to get alerts from the event logs, so I can see when somebody tries to launch something they shouldn’t. I can manually set forwarding of the local event log ID 866 to the server and then trigger an email using task scheduler, but I am trying to get my head round configuring the forwarders via GPO on our XP based hosts automatically (the GPO settings seem only to work in Vista and above – our Win 7 hosts should pick up the GPO just fine). Wonder if anyone has any tips on that?

Looking at our ESET console, we see numerous invoice-abcxyz.pdf.exe and similar attachments being blocked on Exchange, but it won’t take long for somebody somewhere to do something silly, or for the threat to morph and the GPO settings to be come useless.

With pretty much most of our data accessible to the most “click friendly” users, this is one of the few threats that really worries me. We run hourly onsite backups and daily offsite, but it would be a right royal pain to recover all that data across our network. Even after data recovery, I would be apprehensive about our network and the server. :o:

The IP address and subnet mask in the result of your ipconfig probe shows an APIPA address. This means several things:

You have no DHCP server running on your router, but you quite possibly have DHCP configured on your PC. Unless you have a very odd configuration in your router, you won’t be able to route to the internet with that configuration. An APIPA address is automatically generated by Windows to enable Link Local TCP/IP connections when an IP address is not set by either a static IP or a DHCP server.

Therefore, it’s probable something is not right in the config of your PC or maybe your Cisco router.

Lastly, I would not recommend hacking the ISP router on your roof to open the UDP ports required. That’s is going to introduce a big security risk for all the other users of that equipment, quite apart from being illegal in many countries.

Assuming you have a daily / weekly backup you can use my favourite tool and recover the entire directory.
Buy (yes, buy) Kroll Ontrack Exchange and Sharepoint Recovery, fire up the Exchange server emulator, restore the data and recover the directories.

cheers, Paul

Also take a look at Shadow Protect GRE. Will allow you to mount your backed-up Exchange database and recover anything from the entire database down to a single message entry.

Not cheap, but a lifesaver when handling Exchange mailboxes.

Eset Endpoint Security.

I’ve encountered big problems with Kaspersky on a small business network in the past, but ESET Endpoint is lightweight on the workstations and has some very nice remote admin console tools that will run on your DC.

Use TCP View to inspect all your TCP and UDP endpoints. It will give you the detail you need to know where the traffic is coming from and/or going to.

From there you can isolate processes to find the errant application.

Jerry, Thank you. I’ll take a look at it. From what I have been told, it will not work instantly to other network computers. I’ll check it out though!

It may need a bit of tweaking to get it working. Take a look at the scripting supplied in my link above if necessary.

Regarding the need to talk to somebody “local” that’s a perfectly valid reason to want to stay in country; but it’s not the same as not trusting somebody because they are not in the same country as you. I use software and services sourced from around the globe: trust is non-geographic, and implying that it is slightly jarred with me.

Anyway, I fear a digression into inappropriate territory, so will leave it at that. Do take a look at the msg command and the supporting scripts, they should do what you want.

A sweep of customer’s IP allocations has revealed the following IPs in your range are showing as susceptible to Open Recursive DNS exploits:

82.xx.xxx.xxx

The associated Zen username is: zen22xxxx@zen

Double check the highlighted items above refer to you and your IP address. Do you have a static IP address? If not, it is possible Zen may have discovered a vulnerability on somebody else’s kit and not yours.

To verify it’s your kit. Check your public IP address using whatsmyip.org. Switch off the router, leave it 30 seconds, then switch back on. Verify you have a new IP address using the same web based tool, then run the exploit checker from Zen once more using the new IP address obtained after the router reboot. Do you still have an issue? If not you can sleep tight.

Try taking a look at the msg command.

Any reason why you don’t trust services not based in the USA? The internet is global and we don’t bite you know…well, most of us anyway.

I’m afraid that if you want to fix it, you are going to have to run some diagnostics.

While the internet is working, open a command prompt (go to Start and enter “CMD” in the Search Programs and Files text box). In the Command Prompt window enter “ipconfig /all” without the quotes and take a note of the result. Then when the problem occurs again, run the same command and compare the two results.

This will establish if you have a network connection issue or a router problem.

If it is a router issue, the best course of action is to swap it out for a known good one. Maybe twist the arm of you ISP to send you a new one.

If it is a network disconnect {you can tell this very easily if the IPv4 address comes back as an APIPA address such as 169.254.x.x as opposed to 192.168.1.1 or similar} then you may have a fault network card in the machine. It’s not clear if it is a laptop or desktop, but assuming a laptop for a moment; if it appears to be a network issue, as identified by the APIPA address above try connecting via the ethernet port while the problem exists and run the ipconfig command again. Do you see an APIPA address on the ethernet port too?

Your PC may not be running a web server, but the router is.

The ZyXell USG-20w is a serious bit of kit: much more capable than the average residential router. It has, for example, a remote dial-in capability that will be protected by SSL encryption. This is probably the source of the Port 443 response. It also has the ability to launch an SSH session or to Telnet into the box, which is why Ports 22 and 23 are responding.

To check this, go to whatsmyip.org and make a note of your public IP address. Now, ideally from a machine outside your network (a friend or neighbour) browse to https://{your-ip[/I]}. I would expect to see a router login screen.

Next, turn off the router. Leave the modem switched on and repeat the test above. I expect no response, even though the IP address is live because the modem holds it open.

Is it a worry? Well it depends on how secure the router remote access is? Make sure you have a strong password, or better still if you don’t need them, turn off the remote access tools. Some financial institutions require all low ports to be stealthed before they will allow access to their systems. I recall a visitor to the Lounge here last year had an issue with a bank who would not grant a particular service because his system was responding on a port. That may not be an issue here, but it is worth bearing in mind.