Malware not detected - Trojan.Multi.GenAutorunWMI.a

Hi,

Please submit a file sample to our labs team for analysis. 

You may follow this KB for instructions on submission: Submitting samples of suspicious files to Sophos 

Thanks,
Karlos

There is no file related since it is a System Memory malware. At least, we were not able to find out the source file.

All I have is the print screen from the Kaspersky report I already sent to the support channel. I also sent evidences of the CPU consumption and issues. Hope I have any reply from support team.

Thanks,

Hi,

I have just followed up with your case. The case owner is away today so it has been reassigned and the new case owner has already forwarded your case for review to our labs team for analysis.

We appreciate your patience as we investigate this further.

Thanks,
Karlos

They requested some info I sent yesterday, but didn`t hear from them so far.

They suggested trying removing some things manually, but I need Sophos to cure all the machines and prevent them to be infected again with the malware. There`s no reason to keep Sophos if it does not remove and prevent it. I need a transparent response if this is going to happen or not. I need to confirm if I can count on Sophos or move to another provider.

Thanks!

Keep us posted on this case. Curious to know on the Malware and Sophos response

Hello skyisbluescreen,

Unfortunately the issue was not solved yet. They have been requesting some information and I`m providing everything I can. They have been replying and seems to be working on it, which seems to be something good, but they are still not able to find out the issue and it seems they are not aware of Fileless Malware type of infection and this is surely something to worry about.

Sophos endpoint is still unable to detect the malware and we are having to remove it manually one by one. The issue on doing this is:

1- thats a huge effort to locate and remove the malware on each machine. I was able to detect which IPs the scripts are trying to connect so I was able to block it on firewall and track them on Logs so I can detect what machines are infected. I`m currently using Kaspersky Virus Removal Tool (free software), since it can detect and remove it.

2- not sure yet, but I`m afraid the machines can get infected again after being cured, since Sophos is not detecting it.

Any update on this??

Today I had a user come to me and say PC is running weird. PDF previews not showing...running slow.....etc.

So..one thing I always do is run Free Malwarbytes. Low and Behold, Malwarebytes found 42 god damn entires about PUP.Optional.Mindspark.Generic, and a few about PUP.Optional.ASK.

WHY...OH WHY....does SOPHOS NOT find and clean this. WTF are we paying for?? This makes me sick to my stomach.

What a HUGE waste of Time and Money. HUGE DISAPPOINTMENT. Thousands of dollars spent for NOTHING, there is NO protection here....only frustrations.

I download Comodo ITSM.....found ALL that SOPHOS COULD NOT. PC clean and happy.

Final answer. SOPHOS IS JUNK.

We had to solve the issue in our own. We had to use other tools such as Kaspersky and Malwarebytes, since they were able to easily cure the machines. Sophos was not able to block it and not even to identify the issue when scanning.

The final answer of Sophos Support team was: "As this issue is out of scope at this point in time, I will be archiving this case".

System Memory or Fileless malware types are not new but anyway Sophos thinks it is "out of scope". So we just quit trying to help them to improve their own product and solved the issued by ourselves.

Aha......well isn't that sad to hear. But I expected that 100% from these liars/scammers.

So really the ONLY answer here is.....SOPHOS will NOT Protect you, DON'T expect it to.....its only meant to look like it does.....

You will get emails daily about services missing or not running....PC will be unprotected for days because they haven't been rebooted to complete the installation...over and over and over again. On and on the nightmare goes.

The amount of MANUAL intervention thats required, the number and frequency of reboots....the inability to protect us from the very threats we bought this product for is unbelievable.

This product deserves "TWO THUMBS DOWN" and a Class Action filed against them.

Ya even their support system is also a crap!

Hello DKAO,

I look after the Malware Escalations team in Sophos Support, I was just made aware of your ongoing issue. Firstly I want to clarify that we do know what this infection is and we can help you with it. I would have preferred your original Support case to have been escalated to my team instead of being closed, I will look into why this didn't happen.

The type of attack you have seen is often called "WannaMine" this is a reference to Crypto Mining payload and the vulnerability in Microsoft SMB which is abused by the EternalBlue exploit, made famous by the WannaCry ransomware attacks.

The use of EternalBlue in these attacks allows the infection of multiple machines on the network, this is the worm component of the attack and it can be blocked by patching the affected machines. Also the new Active Adversary Mitigations in Intercept X, specifically "Prevent APC violation" blocks EternalBlue (plus other things).

Stopping the initial infection is best here, as it gets more complicated after that. The infection will attempt to add entries into the Microsoft WMI Database on the target machine. It uses this to achieve persistence (survive a reboot). Once it can add an entry to WMI it will often add JavaScript or Powershell commands that will be executed by WMI (WmiPrvSE.exe). If the AV product knows what to look for it can block these entries being added to the WMI database in the first place, as well as catching anything that is attempted to be executed because of an entry in WMI. However automatically removing item from the database once they are in is difficult for AV companies (not just Sophos). 

There are two main factors why your issue wasn't resolved when you raised your initial case back in December. Firstly this method of attack was very new at that point, AV companies were only beginning to see this trick use widely and understanding how it worked and the best ways to stop it was still being developed. Our protection against this technique is much more resistant now. Although we still stress that regular patching of machines if the first step in improving protection. 

For reference the WMI part of this attack is the clever bit, one they have done that the next step of installing a Crypto Miner on the machine, often to mine the currently Monero is actually fairly standard and could be detected by a number of different layers of security, most commonly a PUA detection on the miner itself.

Could you let us know what the current state of these machines are and if you are still experiencing any issues with this infection?

We also published this article on the attack: nakedsecurity.sophos.com/.../

Hello PeterM,

We have resolved the issue by ourselves as informed previously. What you described is exactly the issue. I understand you can take time to identify and prevent new kind of threats, there is no magic here. But it can`t take the time it took and, above all, how Sophos Support kind of ignored the issue on this thread and on my support ticket leaving us alone. I also understand that maybe this could not be the standard support service leve and I was unlucky, but that was my very first interaction by contacting support and it was really disappointing.

We had an issue very similar a few months later and is on the thread below, where, once again, Sophos Endpoint was not able to handle it and we resolved by ourselves and tried to contribute somehow with the community:

https://community.sophos.com/products/endpoint-security-control/f/sophos-enterprise-console/102022/powershell-virus/376632#376632

All I did was:

1- identify what kind of traffic were being generated, what ports and IPs, since it is persistent. Used Process Explorer (to see what was consuming resources and the exact scripts), Autoruns (in some cases, could disable WMI initiation, but no completely heal the machine), Process Monitor (to see what the scripts were doing step by step) and Resource Monitor (to easily get the port/IPs) to get them.
2- block all this traffic on firewall and log them to identify which devices were infected. Unfortunately, was not able to identify the source/initial infection.
3- once the infection was blocked and not crashing the devices, we healed each one with other AV free softwares such as Kaspersky and Malwarebytes - both of them could heal the machines even 6 months ago, but not Sophos

Thanks anyway for your concern and I really hope you can work with your team and improve your product and services so we can always work in a more secure web for everyone, but honestly, that was disappointing and we are already evaluating changing Sophos here to another provider since our current agreement is about to expire.

Hello PeterM,

We have resolved the issue by ourselves as informed previously. What you described is exactly the issue. I understand you can take time to identify and prevent new kind of threats, there is no magic here. But it can`t take the time it took and, above all, how Sophos Support kind of ignored the issue on this thread and on my support ticket leaving us alone. I also understand that maybe this could not be the standard support service leve and I was unlucky, but that was my very first interaction by contacting support and it was really disappointing.

We had an issue very similar a few months later and is on the thread below, where, once again, Sophos Endpoint was not able to handle it and we resolved by ourselves and tried to contribute somehow with the community:

https://community.sophos.com/products/endpoint-security-control/f/sophos-enterprise-console/102022/powershell-virus/376632#376632

All I did was:

1- identify what kind of traffic were being generated, what ports and IPs, since it is persistent. Used Process Explorer (to see what was consuming resources and the exact scripts), Autoruns (in some cases, could disable WMI initiation, but no completely heal the machine), Process Monitor (to see what the scripts were doing step by step) and Resource Monitor (to easily get the port/IPs) to get them.
2- block all this traffic on firewall and log them to identify which devices were infected. Unfortunately, was not able to identify the source/initial infection.
3- once the infection was blocked and not crashing the devices, we healed each one with other AV free softwares such as Kaspersky and Malwarebytes - both of them could heal the machines even 6 months ago, but not Sophos

Thanks anyway for your concern and I really hope you can work with your team and improve your product and services so we can always work in a more secure web for everyone, but honestly, that was disappointing and we are already evaluating changing Sophos here to another provider since our current agreement is about to expire.

Update to all my Sophos WOE's that I have mentioned in many previous posts about this product.

I am happy to report ALL my Sophos errors have disappeared. Not one single failure. Nor am I seeing 80000 calls to Sophos universe through my firewall.

Here's how I solved it:

I (F swear word here)  UNINSTALLED EVERY (F swear word here) SOPHOS ENDPOINT IN MY ENVIROMENT. PURGED THIS (F swear word here) *** AS FAST AS I COULD INTO NEVER NEVER LAND WHERE IT BELONGS.

Installed Malwarebytes Enterprise.

And guess what, Malwarebytes kindly reported ALL the *** Sophos is (F swear word here) useless at.

MALWARE: 383 DETECTIONS FOUND

QUARANTINED ANOTHER 194 RECORDS.

I swear to god Sophos has no idea what malware is. They have heard of it...but have no idea how to deal with it. USELESS.

I strongly encourage each and every user of this so called software to run another vendors free product and find out just how exposed you really are.

I feel for each and every Admin that has had to deal with babysitting this catastrophe!!

Even their uninstall is a disaster. After Tamper protect is turn off....Sophos would not uninstall until the PC was rebooted. Once reboot, attempted uninstall again. NOPE another frigging reboot. Holy mother of christ. HUGE...HUGE WASTE OF TIME AND EFFORT.

Good luck.....good bye. I hope I never hear the Sophos name again in my lifetime.

THIS IS the happiest frigging day of my life.