In addition to Sophos Endpoint Security and Control Version 9.05 VDL4.60G, our organization utilizes SecureWorks to detect host infections that cripple our clients, resulting in loss of user productivity and additional tech hours imaging and re-configuring an enduser's workstation.
Our team receives SecureWorks e-mail notifications daily through our compliance and security officers. These notifications list host infections detected on Sophos-protected workstations (see examples below). Sophos Enterprise Console 4.0.0.2362 displays a favorable status for a majority of these infected clients, showing that the client is fully up-to-date and that the last message received from the computer is minutes ago. It does not detect the trojan, malware, or hostile application that has infected the host.
Why is this? Are different detection mechanisms used? Do we need to upgrade versions of Sophos? Is the infection too new or recent? Is theinfection and resulting notification not even legit? Did Sophos detect and clean the host quickly, but not provide an entry in the log stating so?
Sophos Support Knowledgebase: search terms = "gbot"
Search Result: "We didn't find anything"
Sophos Support Knowledgebase: search terms = "fake avs"
Search Result: "We didn't find anything"
Two example SecureWorks notifications can be found, below - once the notifications were received, Sophos Enterprise Console continued to display a favorable status for both clients, and has yet to report any infections.
1
.
Subject: SecureWorks Fake AVS
Summary: Fake-AV Downloader Trojan (x.x.x.x)
/Security Event/Hostile/Host Infection, Trojan, or Malware/High
Suggested Remediation:
Format the host and reinstall the OS and/or reimage the machine to a known good state. Due to the nature of most downloader trojans, there's likely any number of different pieces of malware infecting this machine.
The internal IP is x.x.x.x
Nov 30 10:07:11 x.x.x.x Nov 30 2010 10:07:12 FW1 : %ASA-6-305011: Built dynamic TCP translation from inside:x.x.x.x/2534 to outside:x.x.x.x/25643
Nov 30 10:07:11 x.x.x.x Nov 30 2010 10:07:12 FW1 : %ASA-6-302013: Built outbound TCP connection 93028930 for outside:78.26.179.6/80 (78.26.179.6/80) to inside:x.x.x.x/2534 (x.x.x.x/25643)
EVENT_ID 38196412:
[**] [1:1731221:0] 31221 VID22518 FakeAV Download Attempt [**]
[Classification: None] [Priority: 4] [Action: ACCEPT_PASSIVE]
11/30/2010-17:07:11.892303 206.252.232.8:25643 -> 78.26.179.6:80
tcp TTL:127 TOS:0x0 ID:7063 IpLen:20 DgmLen:745 DF
***AP*** Seq: 0xF21DFD01 Ack: 0x59A463A6 Win: 0xFFFF TcpLen: 20
==pcap s==
=0C=00=00=00?/=F5L=8F=9D=0D=00=E9=02=00=00=E9=02=00=00E=00=02=E9=1B=97@=00=7F=06%R=CE=FC=E8=08N=1A=B3=06d+=00P=F2=1D=FD=01Y=A4c=A6P=18=FF=FF=C5w=00=00GET /?s=3DsFw%2FwZ%2FAyDLott0CXexP5DsjXka%2BAyL8bMdGR7Fp0qh12G0uG%2F62pMd1NWQ%2BXVlXhRs%3D HTTP/1.1=0D=0AAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*=0D=0AAccept-Language: en-us=0D=0AUA-CPU: x86=0D=0AAccept-Encoding: gzip, deflate=0D=0AUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)=0D=0AHost: votalyz.co.cc=0D=0AConnection: Keep-Alive=0D=0A=0D=0A
==pcap e==
2.
Subject: SecureWorks Gbot Downloader Trojan infection
Description: Activity involving known malicious host
Hello,
We are seeing alerts indicating x.x.x.x is infected with a Gbot downloader trojan.
Nov 30 09:07:44 x.x.x.x Nov 30 2010 09:07:48 FW1 : %ASA-6-302013: Built outbound TCP connection 92874943 for outside:174.132.129.30/80 (174.132.129.30/80) to inside:x.x.x.x/1173 (x.x.x.x/18483)
Summary: Gbot Downloader Trojan infection
/Security Event/Hostile/Host Infection, Trojan, or Malware/High
Suggested Remediation:
Format computer and reinstall OS from known good media.
This thread was automatically locked due to age.
