Users started complaining about slow network speed so I fired up Wireshark. Did some checking and found many PCs sending packets similar to the following (screenshot):


I blurred out the text for the username, computer name and domain name (since it matches the internet domain name). Computers are spamming the Active Directory servers trying to brute force hack passwords. It will start with Administrator and go down the list of users in alphabetical order. Physically going to the PC finds no one anywhere near it and this behavior is spread across the network so it appears to be a virus of some sort. Scanning computers which have been caught spamming the server with Malwarebytes, Super Antispyware and BitDefender (this is the antivirus the client has) yields no results.

This is an enterprise network with about 2500 PCs so doing a rebuild is not a favorable option. My next step is to contact BitDefender to see what help they can provide.
Has anybody seen anything like this or have any ideas what it could possibly be?

  • 1,414
  • 3
  • 20
  • 29
Nate Pinchot
  • 257
  • 1
  • 3
  • 10
  • Could be something along the lines of what Google et all were hit with. US companies have over the past months to a year been attacked by someone able to write their own exploits, and who knows how to elevate from regular non-admin user to Domain Admin. Do a search for some technical stories related to the recent attacks against Google and others. – Alex Holst Mar 17 '10 at 23:24
  • Alex, this is does not fit the model of an APT attack--APT attacks are very precise, specific, and low key. How was this attack discovered? Because it created a big hit on performance of the network--enough for someone to look into it--Definitely not APT; unless, perhaps, it is a feint, to hide the real attack vector. – Josh Brower Mar 17 '10 at 23:30

3 Answers3


Sorry, I've no idea what this is, however, you have more important issues right now.

How many machines are doing this? Have you disconnected them all from the network? (and if not, why not?)

Can you find an evidence of any domain accounts being compromised (especially domain admin accounts)

I can understand you not wanting to build your desktops again, but unless you do, you can't be sure you'll clean the machines.

First steps:

  • Ensure complex passwords are enabled on your domain
  • set a lock out policy - this will cause you problems if you still have scanning machines but this is better than more accounts being compromised
  • Isolate a known bad machine, is it trying to talk to the outside world? You need to block this across your network at your gateway
  • Attempt to isolate all known bad machines.
  • Monitor for more scanning machines.
  • Force all your users to change their password, check all your service accounts.
  • Disable any accounts no longer in use.
  • Check your group memberships on servers and DCs (Domain Admins, Administrators, etc)

Next you need to perform some forensics on your known bad machines to try and trace what has happened. Once you know this, you stand a better chance of knowing what the scope of this attack is. Use root kit revealer, perhaps even image the hard disk before you destroy any evidence. Linux Live CDs with NTFS support can be very useful here, as they should allow you to find what a root kit could be hiding.

Things to consider:

  • Do you have a standard local admin (weak) password on all the workstations?
  • Do your users have admin rights?
  • Are all domain admins using separate accounts for DA activities? Consider setting restrictions on these accounts (e.g. workstations you can log on to).
  • You don't give any info about your network. Do you have any publicly exposed services?

Edit: Trying to give more info is difficult, as it really depends upon what you find, but having been in a similar situation several years ago, you really need to distrust everything, especially machines and accounts that you know to be compromised.

  • 7,538
  • 15
  • 68
  • 92
  • We have good passwords and policies in place. Outside access is already extremely limited (http only via proxy, most ports blocked, etc etc) - not an issue. Can't force all users to change passwords, but all admin users is doable. See my comment to Josh below for the details on forensics. No users other than what is necessary have admin rights. No publicly exposed services other than web traffic to the DMZ but these machines were not affected - only desktops so far. – Nate Pinchot Mar 17 '10 at 23:58
  • Also worth noting that while I did say rebuild is not favorable I am mainly after data at the moment so that I can protect the image we are using to rebuild since there is obviously a hole somewhere. If I find more useful data than "Worm.Generic" I'll post it in an answer. Marking this as the answer since this really is the way to go. – Nate Pinchot Mar 18 '10 at 00:01
  • You need to identify the vector that this code was introduced into your network. It's not always from the internet, executable on usb keys and personal storage. if you don't find the vector then it's likely to come back. – The Unix Janitor Mar 18 '10 at 15:30
  • @Nate. Sorry to drag this old thread back up, but why weren't you able to force all users to change passwords? We did it for 25k users without too much effort, including remote users. I trust all went well for you anyway? – Bryan Jun 22 '11 at 14:10
  • The network is for a school system, with about 5k or so student users and lots of not-so-computer-savvy teachers and school staff. It would have created quite a bit of headache to require all users to change their password on next login. Everything did go well. We changed all administrative passwords, restored servers from backup as needed and re-imaged all PCs. – Nate Pinchot Jun 27 '11 at 15:53

It could be anything from L0phtCrack to THC-Hydra or even a custom-coded application, though your AV solution should have picked up the well-known apps.

At this point, you need to identify all the systems infected, quarantine them (vlan, etc), and contain and eradicate the malware.

Have you contacted your I.T. Security team yet?

Finally, I understand you not wanting to rebuild, but at this point, (with the little data you have given), I would say that the risk warrants rebuilds.


Josh Brower
  • 1,659
  • 3
  • 18
  • 29
  • 2
    Thanks for the links. We will probably have to rebuild, we have images But more importantly, we don't want to rebuild and have the same thing happen all over again, so we need to figure out what this is so we can protect the images against it and then rebuild. Using GMER I was able to determine that a rootkit was in place and disabled the services it had installed. When I rebooted, BitDefender detected it as Worm.Generic.42619 (googling for this isn't helpful - nor is searching for it in their virus db). So waiting for them to give me more info now. – Nate Pinchot Mar 17 '10 at 23:54
  • 1
    Nate- Actually, Worm.Generic.42619 leads me here (http://goo.gl/RDBj), which leads me here (http://goo.gl/n6aH), which, if you look at the first hit (http://goo.gl/Le8u) it has some similarities to the malware currently infecting your network.... – Josh Brower Mar 17 '10 at 23:59
  • "we don't want to rebuild and have the same thing happen all over again, so we need to figure out what this is" warrants a +1 – Maximus Minimus Mar 18 '10 at 04:37

Try running a different capture program to make sure the results confirm what Wireshark is seeing. Wireshark has had problems in the past decoding Kerberos traffic. Make sure what you're seeing is not a red herring.

Are you seeing any other "anomolies" in the capture?

  • 108,377
  • 6
  • 80
  • 171