0

Something on the server is automatically adding Deny rules on port 445 and a couple other ports. The rules are appearing in the Firewall and IP Security policies. They are blocking network and printer sharing.

I have tried renaming, disabling, deleting the rules/policies but they come back on their own.

I have done virus scans on 3 different AV programs (Windows Defender, Kaspersky, Malwarebytes) and they have come back clean. I've uninstalled ALL unnecessary programs. I have check ALL scheduled tasks, and they are appropriate. I have checked ALL startup tasks (Startup folder and registry run/runonce), nothing in them. There are no GPO's set. No VNC/RDP services, so it's not someone doing it manually.

I've been able to stop the rules/policies automatically being added by setting the Permission in the registry folders of the Firewall rules and IP Sec policies to (Everyone to Deny creating/changing/deleting).

How can I pinpoint what is setting these rules/policies?!? The event viewer simply says the Local Service user used netsh to create the rules, but no details on where netsh was called. Nothing in the even viewer about IP Sec policies, but I've recently enable auditing, but nothing in there helps.

Greg
  • 31
  • 6
  • TBH, I'd run gpresult on the server to confirm this isn't being applied from Group Policy. – joeqwerty May 11 '17 at 15:00
  • Thanks, I did check all the GPO's already, but went ahead and double checked with, gpresult /r /v - and nothing's being set. – Greg May 11 '17 at 15:08

1 Answers1

-1

Are you patched for MS17-010? Are you running Server 2003?

-- My TG team got back to me again, I wanted to pass on their info. The URL is now defunct so they were not able to get access to the msi.

" The DLL is the “adylkuzz” Monero cryptocurrency miner. It is being delivered using MS17-010 EternalBlue/DoublePulsar.

Once installed it modifies the host firewall to block port 445 and prevent further exploitation attempts. It installs itself as a Windows service under the name “WLEM”, with the binary in c:\Windows\Fonts\wuauserv.exe

Next it tries to determine the host IP by contacting the public icanhazip.com site. DNS requests are made for C2 host “08.super5566[.]com”.

The crypto miner is downloaded from C2 and stored as c:\windows\fonts\msiexev.exe. The Miner is then invoked using the following command:

“-a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -p x -u 42hDr4Lh2QbiLxrZbRZVmxgKGkMaSKWHSfTG6cBHb3yZ8NNEMuZKta74FqMvejvejyhvyT8C8pXY1TqpRS4czWvf744JjqP”

Several exceptions are added to the Windows firewall for other binaries:

0x3ed5f8 (138): netsh advfirewall firewall add rule name="Windriver" dir=in program="%PROGRAMFILES%\Hardware Driver Management\windriver.exe" action=allow 0x3ed698 (131): netsh advfirewall firewall add rule name="Chrome" dir=in program="%PROGRAMFILES%\Google\Chrome\Application\chrome.txt" action=allow

Other than the mining of cryptocurrency, this sample doesn’t appear to do much else.

Brad
  • 1
  • To add onto this, an ipsec rule called 'win' was created on 2003 servers, and a scheduled task called Mysa, Mysa1, Mysa2 were being created that were calling the URL. I deleted scheduled tasks, and then disabled the task schedule service, and havent seen them come back yet, nor the ipsec rule recreate either. Both McAfee AV and Cylance missed this 100% and went completely undetected until our applications were impacted from the port blocks when we noticed. – Brad May 23 '17 at 21:37
  • check out this link https://www.cyphort.com/eternalblue-exploit-actively-used-deliver-remote-access-trojans/ – Brad May 25 '17 at 14:39
  • The OP doesn't say anything about a DLL, Wanna Cry, etc. This answer appears to be a complete guess, unless you know something that's not been made clear by your post. – I say Reinstate Monica May 26 '17 at 21:31
  • Try reading... https://www.cyphort.com/eternalblue-exploit-actively-used-deliver-remote-access-trojans/ – Brad Jun 01 '17 at 19:11
  • If this link provides context for why your answer is relevant, please *include* the essential elements of the link in your answer. On Stack Exchange sites we expect answers to stand on their own even if linked material becomes unavailable. Thanks for contributing. – I say Reinstate Monica Jun 01 '17 at 19:17