The virus (backdoor) DoublePulsar and miner (WINSec.exe/msiexev.exe)
First important information which I found out after a detailed study of the problem. The miner is just a symptom. Gets into a computer through a Backdoor he DOUBLEPULSAR. He DOUBLEPULSAR appeared online 12 April 2017, when a leak occurred in the Network utilities for hacking used by the National Security Agency of the United States. These utilities immediately got his hands on all and Sundry, and by the 15th of April, there were 1,951,075 servers infected with the Backdoor DOUBLEPULSAR. Miner which will be discussed in this thread use this backdoor. But through the backdoor on the computer may appear anything, so I wait for further developments.I have a virus survived the format hard disk, remove hard disk partitions, re-flash the BIOS and the router, format the flash drive with Windows, try to install Windows from another image - all to no avail. Still, 2 weeks later, no one has found the source of the appearance of this backdoor in the computer. So if you have described the theme of the miner, it more than likely appeared a backdoor through which this miner is downloaded.
The decision at the moment, there is only one: urgently to update Windows to the latest updates, and to close the 445 port. Microsoft wrote that in a recent update exploit ETERNALBLUE used in this bedorom, removed. He is knocking on the backdoor via port 445.
And please note - the latest version download miner files marked as system. So to see them, don't forget to enable viewing of system files in Folder options.
Here is a link to one I used in my sources:
http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/
In Russian version there, but all the important info I gave above.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here you can be infected if you do bedorom:
www.binaryedge.io/doublepulsar.html
(thanks to Embrace Futility)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
While it is not known whether this is walking (initially server) system servers Internet service providers, or simply roams the network in search of victims.
----------------------------
Such situation: if I leave the computer for minutes... well, let's say 10, and the load percent (Core i5 3570 @4.2 GHz) up to 90% on all cores. But it is necessary to open Task Manager or Process Explorer and load magically drops to zero (miner prosekaet and stops?).
Comp spontaneously rebooted when I was over there for about 30 minutes. There is no overheating, for sure. Even when the load is under 90% (temperature rises up to 65, but before the actual overheating is very far away).
And just noticed that the open (minimized) Task Manager suddenly spontaneously shut down.
--------------
The bottom line: Yes, I think by all indications it is a very smart-ass miner. But here's the problem - I just yesterday formatos. The problem was that to that after. And I'm neither their software nor their games, not updates for a month. And nothing new was shaking. So how could he take is unclear.
Have any suggestions on catching this miracle?
UPDATE:
Now found that:
C:Windows\Security\WINSec.exe
Eating 70-75% of the Prots. In my life I had ever seen. I will now Google. But I suspect that happiness in it.
UPDATE 2:
VirusTotal scan of the file:
https://www.virustotal.com/en/file/450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f/analysis/1493461158/
PS If anyone can find clear info on this rainbow, I'd appreciate it. And in Google only some vague bits and pieces.
And now, you guys all go here and check:
https://www.binaryedge.io/doublepulsar.html
I've won the lottery (only 3,500 infected computers in Russia).
The same story was with the miner, even a dozen viruses that are pumped every few days, attempts a redirect on left-wing sites, if you believe the antivirus. A few days ago blew all to hell, and delivered 10, while flight normal.
Embrace The Futility
If a real site and not some crap, I have...
Is Doublepulsar on your IP?
128.72.237.78
Is it infected? true
Port: 445
Last Detected: 2017-04-26T14:30:02.118000
What I understand that means that on a server sitting in my Beeline is the backdoor, I came over above?
And... 26th of April. Exactly the day when I had the miner. And not only me, but many.
This is what I done for the paranoid, turned out to be right in the end? Ahah, unbelievable!
Because judging by this infe infected with the server providers, is the right solution for you (Windows), it is updated until April 2017, because in March 2017, Microsoft has closed the exploit EternalBlue used bedorom DoublePulsar. Actually, I already wrote in the first post. But I consider it necessary to repeat.
Windows XP update does not work. For everything above - Yes. XP may still be infected.
Embrace The Futility
Thank you for the info, was very useful. First doubted the authenticity of the site, because he is poor, and little of information, but digging the blogs, and the like reliably.
rambling wrote:
If a real site and not some crap, I have...
Quite real, in their blog you can read about the virus in detail, including statistics about infections.
rambling wrote:
What I understand that means that on a server sitting in my Beeline is the backdoor, I came over above?
Unlikely on a server of Beeline, just an Internet crawling bots and knock at the ports. Haven't heard of before, to providers such treshak was that on a server sitting backdoors. Most likely, they have servers all on Linux.
Embrace The Futility
Infa DoublePulsar suggests that it is precisely server backdoor. Dozens of posts that I dug up from sufferers DoublePulsar literally everything mentioned about the infection that is server hardware. So ruled out before.
By the way the server they were absolutely infected by the same miner as me - he even disguised in the same service, and the files miner was under the same names.
New asklaila arrived
Спойлерhttps://arstechnica.co.uk/information-technology/2017/05/windows-defender-nscript-remote-vulnerability/
Profiction
Ahah, Windows Defender, opening the file to scan, in the literal sense, opens a Pandora's box? Ay Malaca. How well I have it disabled.
Understand? Either immediately updates or disable Windows Defender. It serves as a catalyst for the execution of malicious code on your machine.
rambling
Incidentally, I have found something here
https://www.renditioninfosec.com/2017/04/observations-from-the-latest-doublepulsar-scans/
Updated tools have been available for a few days allowing the removal of the implants DOUBLEPULSAR remotely by anyone who chooses to do so. The safety of these tools has not been evaluated. Based on our own honeypot data, it seems unlikely to make a difference. A vulnerable host on the Internet would likely be reinfected in under an hour.
Explains why no reinstall didn't help perezarazhenie is very fast.
Embrace the Futility wrote:
Explains why no reinstall didn't help perezarazhenie is very fast.
Rearrange, format, delete partitions, flashing the router, flashing the BIOS, format the flash drive with Windows - didn't help. But try to install with another Windows virus is not apparent. The image was old. Original W7SP1. But for too long I haven't tested it. Came to the conclusion that the virus was in my way, despite the fact that I used it and formatica with him for a year without problems.
All your files and drivers, I also checked. Yes, I have the virus generally appear on the clean system without any installed programs and connected external drives.
I in addition to serfs. the city already can't be blamed. The firmware of the router reflash. The Internet did not climb.
Colleagues, welcome!
Below is my history, and a description of procedures that contributed to the recovery. I want to warn you that I'm not the system administrator.
So, given: the server on SuperMicro SYS-5017R-MTF 1×350W, INTEL Xeon E5-2630 v2 2.6 GHz 96 Gb RAM, SSD 2x256 Gb, SATA 1Tb + 2Tb, WinServ 2008 R2 Ent.Ed. Hosted in a Dutch data center, the port 3389 was open, no antivirus software, the firewall is enabled, OS upgrade is not installed from November 2016.
02.05.2017 morning, he was spotted process LMS.exe load the CPU with no less than 100%, the path to the image - %WINDOWS%\Fonts. After ~30 seconds after the forced termination process - a new start. The manual removal of the file has led to the fact that you connect via RDP, it became impossible (setting session options" and silence). Rebut the giver of life gave no results. The IPMI connection allowed to inspect the server. Revealed the following: suspicious for the creation date of the files in the root of C: (the name is an arbitrary string of characters, no extension) executable files and log files in %WINDOWS%\Temp (something like s015.exe and s1as.log) files in the %WINDOWS%\Prefet\secscan.exe, %WINDOWS%\security\WINsec.exe and %WINDOWS%\AppPatch new rules in IPsec (port 445 open to any connections of the following pool of addresses), a cloud of links secscan.exe in the registry and loader of a batch file.bat in the task scheduler called Mysa. Found in %WINDOWS%\Temp logs, it became clear that we are dealing with miner.
Consistently has taken action as follows:
1. Downloaded and running KVRT.exe - found about 18 infected objects
2. Manually cleaned the registry, scheduler, and all of the above files
3. Default RDP port changed
4. Installed all the OS updates
5. Deployed and configured Kaspersky Security 10 For file servers (to remove IPsec rules are properly caught and nailed appearing infected objects - not less than 15 per day + twice per day rebut with vague description in the logs)
6. Removed all introduced and purged IPsec rules associated filter lists
All activities were completed by the evening of 05.05. Normal flight, the admins punished, monitoring closely.
Special thanks I want to Express my rambling.
Embrace The Futility
Thanks for the link. I wrote that doublepulsar not found. Interesting only this website shows the correct result, if it is closed port 445?
falsepilot wrote:
6. Removed all introduced and purged IPsec rules associated filter lists
Hmm, now I looked in the security policy. See some netbc. Time it was last modified, with accuracy to the minute is the same as when the antivirus swore on files miner and an error occurred Critical system process C:\Windows\system32\lsass.exe ended with an error.... Apparently something to do with that stuff. Can I delete it?
Here is what is written in the filters.
Spoiler
Googling these IPS. At least one resource mentioned in connection with virus attacks:
https://www.reddit.com/r/techsupport/comments/683xzs/bitcoin_mining_malware_removal_help/
dihlofos2009
I had the same pools of addresses. Blame.
Then end with unexpected reboot.
Thanks for the link to check. I'm clean.
Everyone who is struggling with the infection I wish you strength and care.
falsepilot
now there I have only:
Spoiler
In the allow empty.
falsepilot wrote:
But what's inside? What is the rule?
And XS already, removed.
falsepilot
Specifically, your miner will more than likely run about service NET Framework. Suggest to pin down, just in case. Services need to seek the service NET Framework at the end of which there is no registry _x86 or _x64 - it would be her. Simply turn off. If the service is not there, you can try to look for service Windows Security. Good luck.
Despite the fact that theoretically, using this backdoor can creep up anything, the best indicator of his possible presence at the moment is this miner.
It's also possible that DoublePulsar'Ohm ill only those who have miner is activated via the above service. Version use other probably older. But this is just a guess.
rambling
Thank you. And backdoor this not crushed fresh updates of the OS?
As for services, NET Framework, now the situation looks like this:
falsepilot
Crushed by the March update of all systems above Vista, including. It is unknown how many, so I suggest to update until April.
On your screenshot everything is in order with these services. But at the moment he is disguised as three services. NET Framework, Windows Security, and the name of the third I can't remember. Perhaps recently added some.
Here is the information on your. A lot of information also in the comments.
https://www.reddit.com/r/techsupport/comments/683xzs/bitcoin_mining_malware_removal_help/