slammed with vundo /av2009 2x in one week

Hello All,

Dont recall the sites, but my machine has been hosed to the point where i had to reimage twice in one week.

Running ESET 3.0.672.0 on windows xp sp3 with latest sigs.

Dont recall the pages I was surfing, but both times I received a red ESET popup box about an infected file in my local temp folder, but by that time it was too late and the machine was zombied and I had popups galore. ESET was ineffective at removing or cleaning the files, so I downloaded malwarebytes and that seemed to do the trick.

My machine still didnt seem quite right, so I reimaged and reinstalled apps. Wouldnt you know it, in the same afternoon I received the same red ESET popup about an infected file and i assumed it was too late--I was right. ESET did nothing to stop the malware from taking over the machine, disabling system restores and hosing the box.

Screwed up both firefox and IE7...

I have quite a few machines out there running ESET with incurable malware according to the repetitive alerts and system scans on my RA console....I know there is no single magic bullet AV/antimalware software. Not trying to flame here, but what gives?


thnx in advance

 

It sounds more like you're not up-to-date with your latest patches to me. Make sure you have the latest windows updates and do a scan with PSI to check for any exploits in other software: http://secunia.com/vulnerability_scanning/personal/

 

Also run more then 1 anti malware app in realtime such as av + as or av + am or av + as + am

 

Thanks for replies all. We are running in a business environment. I am trying to preserve system resources while also trying to standardize on security software on all machines. I'd prefer to not have to run multple scanners...if I have to, I will, but I was given the impression by the sales guys that ESET would keep out and or cure the malware on its own...I did test against Sophos and a few others and it seemed best overall.

Of course, while testing, I spent 2 days just trying to purposefully infect my @%!@$ vmware machines to no avail other than some wimpy malware which was easily removable...

Wondering if others are running other scanners in 400+ node environments in combination with ESET?

thnx!

 

The PSI doesn't run in real time. It's a simple on-demand scan that you should perform.

 

We are also running the corporate version with Remote Administrator. All of our virus signatures are up to date on all of our machines, and we also had two machines get infected with virtumonde last week. In the process of trying to remove virtumonde, a trojan that apparently was also downloaded was activated by the removal routine - again on both machines. the only recourse was to re-image both machines. I think it's sad that the best advice anyone can offer is to run multiple anti-malware applications. ESET purports that its product prevents all types of malware from infecting your computers. Until now, I've been very high on this product, but I'm beginning to have some serious doubts.

 

Everyone thinks their AV is a miracle drug until they get infected, personally I still only use NOD32 in real-time. Why? I keep my system up-to-date.

The patching methods of businesses sickens me, keeping your network up-to-date is a basic must, the conflicker worm proves my point at how so many businesses are still unpatched.

 

Thanks Elapsed. I came up with a 98% (we are on an older version of lotus notes...)

We run WSUS here, so I did have all latest Microsoft patches when my machine was hosed...

I agree with realitybytez...I am starting to get hammered by my CIO why this software that we just signed up for two years subscription on 500 machines is not protecting our pc's...

 

FYI - My Daughter's computer was infected with vundo in system 32 files. She was running a Comodo AV beta which was useless. I uninstalled that and installed Avast! AV which immediately went into a boot scan finding 77 instances of the vundo trojan and put them in quarantine. Still there were more vundo in her daughter's computer accounts, and I logged on to each and used Malwarebytes to quarantine the remainder of vundo. Now all these infections which were in her system 32 files are quarantined and the computer operates OK. My problem is I can't delete those infected files because they are system files that are still infected.

 

Hi, this needs to be done on every machine in the network. If even 1 machine is unpatched it can spread infections quite easily to patched systems. You don't just "get an infection" like that without the use of an exploit in software or a foolish user. As you said you re-imaged and got re-infected.

 

Not sure if you know what WSUS is but it basically PUSHES updates to ALL domain computers that have the product installed that needs updating. It also shows you a report on which PC's need an update or ones that failed to install. If he says he was fully up-to-date with WSUS then I'm pretty sure he was talking about his companys Domain Computers as a whole.

I fully agree however that vundo/av2009 could use a good once over by eset. IMHO this thing is out of control! I get calls at least 2x-3x a week about someone being infected with this (personal calls, not company calls). Each time Ive gotten a call I've attempted to use eset beta 4 to remove (which seems to clean it) however after a reboot its back. The only way I have been able to complete destroy this thing permanently was to run superantispyware after the est scan.

It appears that while est removes the files from the system, it leave the registry remnants from the infection.

I run the company IT Department with about 800+ employees company wide. We have just purchased eset business and have it installed on a trial 200 pcs while the rest are still being protected by symantec endpoint 11. One of the big reasons we went to ESET was the small footprint compared to Symantec, also the fact that on 40% of the replacement installs ESET found malicious code that symantec obviously didn't.

I would LOVE to see ESET do a better job with registry scanning and Malware protection, (possibly buy an existing Malware company such as SuperAntiSpyware). To me I think software firewalls are a joke and more of a nuisance that a positive. Who, in this day and age are not behind some sort of Hardware firewall...why would you go out in the rain with 2 umbrellas? Instead of pushing the "Security Suite", I'd love to see them concentrate on a whole Malware/AV package.

Once again this is all just MHO and I know some will disagree with the software firewall comment, however would you rather have a robber get in your house and you shoot him with a gun or would you rather have better locks on the door. Software firewalls still let them hit your PC, whereas a hardware firewall solution kills the connection before it gets to you.

Anywho,

-nos

 

Yeppers...as Nos stated, WSUS centralizes microsoft updates and pushes to machines within active directory--I was up to date both times. FWIW, I am the network admin here responsible for 600+ nodes around the globe. Some of our other sites are running different AV products.


Nos, it's funny you mentioned that you were replacing Symantec as it just won Network World's clear choice award (or whatever they call it); since I am having buyer's remorse here, I am pondering other products and was wondering how the Symantec solution performed as it is one I did not test.

We just obtained NOD32 business edition in November 08 after some lengthy research and trying out a bunch of other AV products. We also chose it for small footprint and apparent effectiveness. Unfortunately, it still seems that there is still a divide between the spyware products and the traditional antivirus products.

As I have started rolling out to more of my remote users, I am unfortunately seeing more incurable malware threats show up in my central RA console. The alerts cycle over and over on the same machines because NOD32 cannot remove the entire malware; it only quarantines the files that respawn.

I can't see the logic in buying multiple scanner softwares for hundreds of machines from a cost, performance, and administrative perspective. Are there other admins out there running separate realtime antimalware alongside ESET on this many machines? Perhaps I simply read too deeply into the "spyware and malware protection" feature of NOD32? Is Elvis really dead?

I'm not looking for a solution that nails EVERYTHING (as one does not exist), but I had hoped and thought ESET would do a better cleanup job on the malware stuff...

blah blah...hopefully other admins can pipe in, as well. Maybe it's time for me to try out the v4 beta and complain directly to ESET

thnx all for the replies.

 

Chompy, Nostic, I too think ESET are lacklustre about these infiltrations that don't seem to be subsiding much. I too look after a number of sites (nowhere near as many machines - but all are equally as important) mostly having ESET over many years because I recommended it for the same reasons you did, and yet odd machines are still getting picked off by these infiltrations. Other posters to this forum have had and will seem to continue having the same valid gripes. What's the use in ESET signatures identifying an infected file straight after it's gotten thru the real-time protection and is resident on the hard drive? Classic case of closing the barn door after the horse has bolted. If the signatures are smart enough to identify an infected file then I'd like the product to also eradicate the resultant files AND the initiating files. But my best preference is for it to detect the web activity/interaction that leads to these infiltrations and block it right there. Prevention IS better than the cure (read repair).

 

its not just eset that has these problems.
had a machine in out#r workshop yesterday, the customer uses nod32 v3. and was complaining of strange behaviour.

a scann of nod32 on highest settings found nothing (defs 3776)
but looking in his system 32 folder, i sorted it by date modifed, and there was 60-70 oddly named .dlls & 3 .exe's that i didnt recognise.

so i submitted them to eset, and kept a copy. I then uploaded them to http://virusscan.jotti.org/

most vendors had said they were clean, but a-squared & sophos flagged them.

i then ran superantispyware, which detected 400 bad registry/file/memory items, including many different rootkits/trojans/worms.

superantispyware thankfully cleaned up most of the junk, then manually removed the rest with autoruns.

being a nod32 user myself, and being the person who recomended this to him, i am a bit shocked as to how much nod missed.

 

Vundo are constantly being modified and are a problem for many vendors as has been noted here many times before by people who know a lot more about the subject than I would ever expect to know.

 

I hate to compare it so weakly but it is a matter of cat and mouse, and the mouse cannot run forever. As the technology the writers uses evolve so will the technology the AV's use. (I'm referring to heuristics here, because signatures are never going to beat something like vundo)

As for "where to go from here", I don't think switching AV's is going to help, and SAS/MBAB's real-time protection is paid for... It's just a real shame v4 isn't gold yet, as it has proven superior to cleaning such a mess.

 

I believe that was for the NAC (Network Access Control) thats built into Endpoint Protection, which, we didn't/don't even use. From my post above you can see what I think about software firewalls/NAC's. Endpoint Protection is a whole security suite however what we need/use is the AV/antimalware side of it which I have been happy so far with the tests with ESET.

If your company would use the security settings of Symantec then I would recommend looking into it a bit further, however if your just looking for AV/Malware then meh...not impressed.

*side note*
on about 40% of our installs of SEP(symantec endpoint protection) they BLOATED up to 1.3GB in size. WTF!?!?

And no we weren't logging everything or the machines weren't infected by a ton/anything, just happens to endpoint I guess. There are tons of posts on their forums complaining about it.


anywho.

-nos

 

The trojan behind XPAntivirus2009, XPAntivirus2008, Defender 2009, Defender 2008, Antivirus360, Search and Destroy 5.20, etc etc blah blah..all those Rogue Antivirus products....the trojan behind it gets new variants released each day. Several new variants each day.

So the XPAntivirus2009 that someone catches in the morning..and you clean up...chances are someone else will catch a different variant of XPAntivirus2009 several hours later...with a morphed new trojan variant (Vundo/ZLob).

This trojan often comes in with the end users permission, doesn't matter how up to date your Microsoft updates is from WSUS.

I've had pretty good luck with NOD32 stopping "most" of the trojan install, versus other antivirus brands at other clients. If you go visit other antivirus forums...such as the other top notch antivirus...Kaspersky...you'll find people there getting whumped by this trojan too. It's very aggressive, with new variants come out every several hours..to stay ahead of the AV products.

I've had good luck keeping infections low at my clients by replacing their NAT routers with UTM appliances..that run a different brand of antivirus product..at the gateway level. Internet traffic (http too) gets scanned at the router..by a different brand AV, so you an added layer of protection that does NOT slow down the PCs.

Got a spare PC? Check out www.untangle.com

 

I will 2nd that Untangle recommendation...

 

LOL!!! That was precisely why I never even bothered looking at it....way too invasive and bloatware is one of my pet peeves in life

Man! Looks very cool....will have to investigate further!

 

No one product is going to stop everything. I've only had one computer in 200 get this virus and that was several months ago when it first appeared. In a corporate environment you HAVE to run a multi layered approach.

We use Securence to scan all our incoming email and use Sonicwall firewalls at all locations with Content Filtering which prevents users from going places they shouldn't, Gateway AV, Intrusion Prevention and Anti-spyware. NOD on all pc's and servers. Windows firewall enabled on all machines. WSUS for windows updates.

With this combination NOD has done the job for us finding and stopping anything that manages to slip through. Sometimes folks bring their personal pc's in which are affected and some of the anti-malware products mentioned have cleaned it up. Malwarebytes and Superantispyware seem to work best.

One other thing, keep flash player up to date and remove old versions.

 

Agreed...we do run a multilayered approach and I know one solution won't do it all as I mentioned above...we use a scanner on all emails, web filtering, wsus, windows firewalls, etc. which is why I was in utter disbelief I got nailed.

Of course, as a network admin, it was a bit embarassing, as well Just wishing it would do a better cleanup job since it detected a portion of the worm as the payload was unfolding and I would have hoped the heuristic capabilities would have prevented further damage...

One thing I did not do was change default NOD32 realtime/scanning settings as I noticed numerous issues with cpu usage with 'advanced heuristics' in other posts. I now have turned on advanced heuristics...has anyone had differing experiences with advanced heuristics turned on or off?

Just worried about pegging cpu's, but I suppose that's better than spyware...

thnx!

 

I didn't mention I enable detection of both unwanted and unsafe applications in NOD on all systems. With version 3 I originally enabled advanced heuristics on realtime scanning but later disabled it because I noticed some impact on response times on network drives with slower, older servers. However advanced heuristics is enabled on all other options.

This is a tough one for all anti-malware makers to keep up with. Overall I'm still pretty happy with NOD but every once in a while it takes more than one program to clean a computer and that's pretty much the norm.