Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Trickbot issue on production network.


  • Please log in to reply
26 replies to this topic

#16 yellowdemon

yellowdemon

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 11 May 2018 - 01:32 PM

Currently using Palo Alto firewalls.  Can you block access at your router then?



BC AdBot (Login to Remove)

 


#17 jasongalliuk

jasongalliuk

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 11 May 2018 - 01:38 PM

Ive looked on the routers and they dont appear to have the option to block IPs only domains, they are only basic Netgear routers, the only trouble since we arent very big weve not had the need for any enterprise equipment so struggling a bit now :-(

#18 garethp1

garethp1
  • Topic Starter

  •  Avatar image
  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 11 May 2018 - 01:56 PM

Ive looked on the routers and they dont appear to have the option to block IPs only domains, they are only basic Netgear routers, the only trouble since we arent very big weve not had the need for any enterprise equipment so struggling a bit now :-(

 

Have you considered swapping your consumer grade Netgear router for something a little more powerful, offering you some customization to your firewall rules?  Even a small Ubiquiti Edgerouter will offer custom firewall settings and they are still under $100. 

 

I think it's safe to say now that since blocking the IPs we discussed earlier and extensively cleaning my machines/servers, I haven't seen the infection popping up any more.  Since we determined it was only spreading between domain connected PCs, I shut every machine listed in AD down and made sure they were clean 1-by-1.  Symantec Endpoint did clean the malware and appears to be preventing re-infection.



#19 jasongalliuk

jasongalliuk

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 11 May 2018 - 02:02 PM

I think its something we are definitely going to have to do, Ill get some new routers in next week and block those IPs and perhaps purchase endpoint protection for the server for the servers at least to clean them out, the pcs seem to be clean now, especially after turning off file and print sharing and network discovery, that seems to have helped so far, just the servers I need to tackle for the moment, thank you, I hope I get this sorted soon, although it is on the servers it doesnt seem to be effecting anything or stopping us from doing anything just more that it is there and needs to be gone now

#20 yellowdemon

yellowdemon

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 11 May 2018 - 02:08 PM

I don't know how many machines you have, but one thing that may be simple, is to create you a hosts file to block these IP addresses, then add the hosts file into every computer.  Use it like a block/redirect.

 

https://helpdeskgeek.com/how-to/block-websites-using-hosts-file/



#21 jasongalliuk

jasongalliuk

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 11 May 2018 - 02:14 PM

You know thats a really good idea, just might be worth a shot for a quick short term solution, weve got 42 computers, so could take a little while but shouldnt be too bad to implement, thank you so much, I really appreciate all your advise on this, think sometimes I lot of stuff can easily be overlooked when your so worm out trying everything but lol

#22 yellowdemon

yellowdemon

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 11 May 2018 - 02:20 PM

Glad to help, and hopefully it will actually help.  I would create the file and ping one of the bad IP addresses, and possibly run a tracert to that IP.  Create your Hosts file with all the bad IP's resolving to wherever or to an IP that's 127.0.0.1 (localhost) and then run a tracert again to that same IP and make sure it is now being redirected.  If it is still going through the same hops then it isn't working as intended.  At that point, copy that file to the other machines, preferably through \\ComputerName\c$\WINDOWS\system32\drivers\etc.  From there you could psexec (if installed) into it and see if it works.  Trying to save you some leg work and possibly give you some peace of mind until you can possibly get in a better solution.



#23 jasongalliuk

jasongalliuk

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 11 May 2018 - 02:26 PM

Ill give it a try thank you so much! Hopefully the host file will allow it because I think I may have tried something similar before and DNS didnt allow the entry of the IP I wanted to redirect pointing to the local host

#24 yellowdemon

yellowdemon

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 14 May 2018 - 02:48 PM

FYI:  Running reports today I found a new folder name by the virus:  \AppData\Roaming\wsxmail with the same tttvc.exe file.



#25 jasongalliuk

jasongalliuk

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 14 May 2018 - 03:53 PM

Hi there, ah yes I found that folder when it all first come about but it was empty as Malwarebytes detected the files within and quaretined them, did you notice the modified date? Was it a recent entry or an old one? What I did was ran a search on the entire c: drive for most recent changed files and deleted all of the obvious files and folders!

Malwarebytes has finally managed to deleted all the crap and registry files and folders, day two now and completely clean, fingers crossed. Also checked all outbound connections and not one machine on the network is even trying to connect to any of those dodgy IP addresses!

#26 yourbuddypj

yourbuddypj

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 13 June 2018 - 06:37 PM

For those of you who are getting re-infected: local accounts on your domain members. Check em. Secure em.

 

I've been tracking this thing on a customer's network for a little over a week now; looks like infection date was mid May.  We are seeing all the inject.dll ( and associated files ) and the stcsvc.exe executable and also scheduled task creation which duplicates all the command files into %APPDATA% upon user login.   A combination of ESET and MBytes seems to work well in cleaning it, but I'm still suspicious about what my svchost processes are trying to talk to ( use WFC and a good firewall to indulge this paranoia ). Sorry this is some sloppy shorthand but you probably know what I mean. Now for the meat: 

 

If you're getting re-infected, check 2 things off your list as well:

 

1.     If you've ever used the ole password reset trick where you replace utilman.exe with cmd.exe; FIX IT NOW.  Even on  server 2008R2 machines with NTLM authentication only, once this bug is on your LAN it will find this hole and stretch it to maximum. 

 

2.     Notice that if you run an windows domain, all your domain member servers still have local accounts on them, and those accounts are vulnerable Realize that default Microsoft GPO does not give you a way to  centrally enable lockout policy on the local accounts. Find a way to lock those down. I suggest changing local account names to nonstandard names AND setting a lockout policy for local accounts.  If you're only dealing with a few servers, you might as well do this by hand. If you're dealing with many more, look for a way to do it via PowerShell or custom GPO.

 

Hope my two cents helps somebody. Thanks for posting about your various experiences. I thought I was crazy when I saw this thing. Had never heard of it before a couple of weeks ago. 

 

PJ

 

 

 



#27 sysmatt

sysmatt

  •  Avatar image
  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 15 June 2018 - 01:48 PM

I'm uploading a copy of what I believe is an example of this infection ... 
 

 

See the submission portal.

 

 

Thanks!






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users