The Anti-virus Times

Just now something started changing the DNS IPs on my servers to 8.8.8.8 and 9.9.9.9, even though Dr.Web is installed on those machines.

The report indicates that a server with the IP address _____ is connected to your network. It appears that there is suspicious network activity associated with this server.

It seems that a brute-force attack is being mounted from that host. A comprehensive examination is necessary.

An entire toolkit containing an RDP brute-force attack module based on the eternalblue exploit and a bluekeep and smbghost vulnerability scanner.

The first thing you need to do is check the operating system patches to make sure that all security updates are installed and that the anti-virus has been updated properly with the latest version you can install.

First, install security update MS17-010. It was released for Windows XP, too. It wasn't applied on the machine in question, and now a whole menagerie of malicious services and scheduled nefarious tasks are on it.

Generally speaking, this failure to install the security update permeates the entire support request. One has to make sure that the patch has been applied on all the hosts.

A quick way to do that is to check the version of the file %systemroot%\system32\drivers\srv.sys You can find an article describing the second method here. Verify by determining the file version for %systemroot%\system32\drivers\srv.sys" under all OS versions.

Check the file version for your operating system. If your file version is older than the listed version, MS17-010 is not installed. Apply the update as soon as possible. If your current version is equal to or greater than the listed version, the patch is already installed.

MS17-010’s absence in a system is unacceptable. Now we are discussing an incident involving a malware infection in a corporate network. To mitigate the threat or prevent attacks from happening in the network, security patches must be installed on all the computers.

Even one vulnerable host will jeopardize security efforts for the entire infrastructure. Attackers can gain remote access to an ill-protected machine or run arbitrary code on a computer. For example, they can download a script or an executable file, execute the malicious payload and then use the compromised machine as a foothold for further attacks across the network. Perpetrators can run any kind of code: they can mount a brute-force attack to crack account passwords and gain remote access to other nodes, encrypt data, steal personal or confidential information, etc.

Even though other PCs and servers may be protected from attacks involving the EternalBlue exploit, they can still be vulnerable to other types of attacks inside their infrastructure.

If the security update doesn’t install, determine what’s causing the error and apply it because otherwise keeping the network secure is a Sisyphean task.

And all this time the host and the whole network were vulnerable to even more devastating attacks.

Install security patches and sweep the systems clean…

Doctor Web's technical support service response.

Malware has managed to sneak into every shared folder on our local network. Deleting the file resolves the issue only temporarily; the file reappears.

Furthermore, we discovered the suspicious process DOC001.exe on the hosts as well as multiple system process clones that used up all the system memory. The same file was found in that location as was the pools.txt file containing a number of links. The URLs contained words related to cryptocurrency mining.

We are experiencing multiple issues across the network; the servers hosting our applications are often inaccessible. All the hosts are domain members, but none of them can access domain resources and the Internet simultaneously.