2

On a business computer network with around 50 computers, there is a computer infected.

We need to find that and remove it.

I have been running the software below in the suspicious computers, but didn't find anything:

  • Kaspersky
  • MarlwareBytes
  • Spy-hunter
  • Spybot
  • Avast!

Is this software is good enough or I need to search for another one?

Now I'm thinking about running a network analyzer.

Does anyone have a different idea or approach?

Vilican
  • 2,703
  • 8
  • 21
  • 35
Bruno Fontainha
  • 21
  • 1
  • Do you have backup images available to restore your computers? Is all user data stored on the network? Have you performed a scan of personal data possibly stored on the network as-well as the individual machines? Just some suggestions to include for informational purposes. – Jonathan Gray Dec 16 '15 at 11:13
  • 1
    How do know for sure, that one is infected? Or more specific what led to your conclusion? – cinhtau Dec 16 '15 at 11:24
  • If you ran the antivirus software only on the computers that YOU think might be infected, you obviously did not run it on others. I'd run it on all machines. – marstato Dec 16 '15 at 12:05

3 Answers3

3

You provide almost no information: I can barely deduce that you're running Windows from the software you used.

The key question is, how do you know that a computer is infected? This will probably give you the key about how to find out which computer it is.

Lacking information, I'll just list some of the almost infinite possibilities:

  • some files get accessed and damaged/deleted => you can check access logs where available, or check out network connections using, if nothing else avails, NETSTAT -na in a shell. The victim computer will show connections from the attacking IP.
  • information gets stolen. If you know this, it is because you found the information where it shouldn't have been. Try disseminating false information, different from PC to PC. If you later find that your corporate website has been accessed using passwordAssignedToEmiliosComputer, you'll know that Emilio's PC is the one to investigate.
  • the configurations or running images of the PCs are different. You can check the former using REGEDIT, even if it's time consuming, and the latter by running the task manager.
  • If whatever the virus does implies a lot of network activity, perhaps you can see it with a network analyzer, or by running a diagnostic on the switches, or... at the very least, looking at their blinkenlights (I had to do this once or twice).
  • Number the PCs from 1 to 50. Disconnect all even-numbered computers and see if whatever symptoms you observed cease. If they don't, try disconnecting the odd-numbered computers. If now they do, you're left with 25 PCs to examine. Number them from 1 to 25 and repeat. You're left with 12 or 13 PCs to examine. Then 6 or 7. Then 3 or 4. Then 1 or 2.
LSerni
  • 22,521
  • 4
  • 51
  • 60
0

I would try the following:

  • Checking proxy, firewall or other navigation logs for malicious IPs or domains
  • Checking DNS logs for malicious domains
  • Using IOC search tools
  • Running a network analyzer and then look for malicious IPs or domains navigated
  • Running an IDS with signatures
  • Execute Process Explorer in each machine and look for malicious processes
  • Retrieving last executed commands from each machine (Windows Prefetch files)
  • Retrieving processes in execution from each machine with some type of scripting (WMI, Powershell, psexec...)

How do you know that you are infected? Start there and perform forensics.

Eloy Roldán Paredes
  • 1,507
  • 12
  • 25
0

I would also use anti-rootkit tools. These are usually one-off specific tools and vary in their user-friendliness.

Many AV solutions don't look for rootkits or aren't capable. This link is a bit out of date but should get you started: http://www.techrepublic.com/blog/five-apps/five-free-portable-rootkit-removers/

Failing all this, I would use wireshark on any networked machine and look at the packet data (destination and source), this should allow you to track down the offending machine.

aj-
  • 1
  • 1