Malware Conhost.exe Windows 2008 R2 SP1

[davidd]

My problem is identical to the one reported in https://forums.malwarebytes.com/topic/237542-malware-conhostexe-windows-2008-r2-sp1/

The following items will be removed, and reappear after a reboot:

* Task scheduler items (Mysa* etc.)

* c:\windows\temp\conhost.exe

* stuff in C:\windows\debug

* reset of the primary DNS record of the network

* network services disabled

and who knows what else

The output of FRST64.exe is attached.  Note the following:

FRST.txt:HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{d1fdaa9a-d087-4b06-8225-4d0f7c8f299a} <==== ATTENTION (Restriction - IP)
Addition.txt:WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"*****youmm4\"",Filter="__EventFilter.Name=\"*****youmm3\": <==== ATTENTION
Addition.txt:WMI:subscription\__TimerInstruction->*****youmm2_itimer: <==== ATTENTION
Addition.txt:WMI:subscription\__IntervalTimerInstruction->*****youmm2_itimer: <==== ATTENTION
Addition.txt:WMI:subscription\__EventFilter->*****youmm3: <==== ATTENTION
Addition.txt:WMI:subscription\CommandLineEventConsumer->*****youmm4: <==== ATTENTION
Addition.txt:ATTENTION: System Restore is disabled

please help.  I _really_ don't want to reinstall this server.

 

FRST.txt

Addition.txt

[LDTate]

Hello  and

Malwarebytes (MBAM) Consumer isn't really designed to run on a server.

I would suggest our Business Client: https://www.malwarebytes.com/business/

Either contact Sales or Request a Trial

 

[davidd]

It would be a much easier sell to management if I knew this one was on your radar.  Just responding with "BUY OUR STUFF" isn't very helpful.

Yesterday I broke down and did a reinstall.  Guess what: it survived the reinstall.  This is getting annoying.

[LDTate]

Is there a chance the router is causing the infection?

Reset the router and make sure the default password is changed on the router.

If you want to run a new FRST scan and attach the logs. I'll have a look.

[davidd]

35 minutes ago, LDTate said:

Reset the router and make sure the default password is changed on the router.

 

This machine is in a data center.  I've been on with their tech support.  We're on the 2nd reinstall of windows on this machine.  My suspicion is that TeamViewer 14 is vulnerable and is the vector through which the virus is being installed.  But that is just a hunch.  That's the only thing other than IIS that has any open ports on the box.  

[davidd]

For the sake of searches, the only other information on the internet with similar signatures I can find is on one russian website: https://virusinfo.info/showthread.php?t=221283 . 

5 tasks show up in the Task Scheduler immediately after a fresh windows install + Team Viewer:

• mysa{,1,2,3}
• a task named "ok"

If you examine them, they include binary data run in powershell, which does a bunch of nasty stuff.  Once you see these things, the server appears to be toast.

[AdvancedSetup]

Hello @davidd and

Give me a few and I'll review your logs and get back with you. On another note, very curious why someone would be using a Server to browse the web and install Chrome on it. I've managed hundreds of servers in my career and have never allowed users to logon and use a server like a desktop.

 

 

 

[AdvancedSetup]

Your Event Logs show that your controller board needs a battery replaced

Error: (01/07/2019 06:19:57 PM) (Source: Server Administrator) (EventID: 2169) (User: )
Description: The controller battery needs to be replaced.:  Battery 0 Controller 0

Nothing wrong with it as long as you're aware and you're the one that set it up but you have an IPSEC policy in place according to the logs.

 

 

[AdvancedSetup]

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

[davidd]

>  I've managed hundreds of servers in my career and have never allowed users to logon and use a server like a desktop.

This is a web & database server.  I'm not sure what gave you that impression.  I have RDP access to maintain it.

I'll have a look at the fix you sent.  Thank you for your time.

[AdvancedSetup]

Google Chrome on a Windows Server is rare, that's all. Hosting website does not require browsing them on the server. Getting this type of infection can come via a browser, via email, and via RDP. 

I would highly recommend you review all security settings for RDP as there are remote attacks for that assuming you're very certain the infection did not come from browsing the web or using a mail client on the server.

 

How to protect your RDP access from ransomware attacks
https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/

Securing Remote Desktop (RDP) for System Administrators
https://security.berkeley.edu/resources/best-practices-how-articles/system-application-security/securing-remote-desktop-rdp-system

Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard

Are My RDP Connections Really Secured by a Certificate?
https://blogs.technet.microsoft.com/askpfeplat/2018/05/28/are-my-rdp-connections-really-secured-by-a-certificate/

Don’t Become a Ransomware Target – Secure Your RDP Access Responsibly
https://securityboulevard.com/2019/01/dont-become-a-ransomware-target/

Securing RDP with IPSec
https://blogs.technet.microsoft.com/askpfeplat/2017/07/24/securing-rdp-with-ipsec/

Oregon FBI Tech Tuesday: Building a Digital Defense Against Remote Desktop Protocol Threats
https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/oregon-fbi-tech-tuesday-building-a-digital-defense-against-remote-desktop-protocol-threats

 

 

 

[davidd]

Thank you for your help with this.  I ran the FRST64 tool with the text file, and rebooted.  All the problems immediately returned.

I'm afraid this one is beyond our power.  The server is toast. 

[AdvancedSetup]

Well, it's up to you. We can still look at fixing it but if you have the data backed up it would be better to do a Server Restore

Let me know what you'd like to do

Ron

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks