Tuesday, September 29, 2015

VawTrak Trojan

Today I was diagnosing why a clients Internet was running so slow.  After tracing the traffic I found it was one Windows 7 PC which was infected with a virus.  The following processes were running on the machine all communicating with various Internet IP addresses.
  • conhost.exe
  • cmd.exe
  • ctfmon.exe
  • dllhost.exe
  • msiexec.exe
  • notepad.exe
  • presentationhost.exe
Note: Use Windows Resource Monitor and navigate to the Network tab to find out which processes are communicating with Internet resources.

When killing one of these processes, they would simply respawn.  The computer was also running very slow and sluggish with web browsers and windows explorer constantly hanging and freezing.
 
These symptoms are related to Trojan.VawTrak which the computer was infected with.  Trojan.VawTrak copies it self into C:\ProgramData and spawns these processes with its malicious code.
 
Trojan.VawTrak can be cleaned up with Malware Bytes or manually.
 
Trojan.VawTrak is a virus you definitely want to get rid of as it is designed to steal online banking information.  Some of the common tasks it performs are:
  • Disables antivirus protection.
  • Communicates with remote C&C servers – executes commands from a remote server, sends stolen information, downloads new versions of itself and web-injection frameworks.
  • Hooks standard API functions, injects itself into new processes.
  • Steals passwords, digital certificates, browser history, and cookies.
  • Logs keystrokes.
  • Takes screenshots of desktop or particular windows with highlighted mouse clicks.
  • Captures user actions on desktop in an AVI video.
  • Opens a VNC11 (Virtual Network Computing) channel for a remote control of the infected machine.
  • Creates a SOCKS12 proxy server for communication through the victim's computer.
  • Changes or deletes browser settings (e.g. disable Firefox SPDY13) and history. Vawtrak supports three major browsers to operate in – Internet Explorer, Firefox, and Chrome. It also supports password stealing from the other browsers.
  • Modifies browser communication with a web server.
  • Stores internal settings into encrypted registry keys.
Due to the severity of this Trojan and the rate it is spreading, AVG has done a detailed writeup which is available here:

http://now.avg.com/wp-content/uploads/2015/03/avg_technologies_vawtrak_banking_trojan_report.pdf

Thursday, September 24, 2015

Quick access in Windows 10 with Direct Access

Quick access is a feature in Windows 10 which lets you quickly view recently opened documents and folders.  This is handy for users to gain access to files they access on a regular basis.

 
On the Avantgarde Technologies network all our employees use Direct Access to provide seamless connectivity back to resources in the office.  We found on links with poor bandwidth and high latency, Quick access causes performance issues and causes Windows Explorer to hang up to 10 seconds every time a user tries to save a file or open a new Explorer window.
 
To ensure employees which are outside the office are not affected with performance issues, we disabled this technology on all our Windows 10 workstations.  The two registry keys you want to modify are under this location:
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
 
ShowFrequent
ShowRecent
 
Both are REG_DWORD values.
 
Simply modify both these registry keys to 0.
 
 
 Deploy these registry keys to all your users using Group Policy Preferences.

After making this change, Windows Explorer will be a lot more snappy for remote users connecting via Direct Access or another VPN technology.

Monday, September 21, 2015

Remove all Printers Deployed from a specific Print Server with Powershell

I had a customer which had deployed printers from a legacy print server utilising scripts.  They have recently built a new 2012 R2 print server where they deployed the printers utilising Print Management Console and Group Policy.

All printers were redeployed from the new print server.

The customer however had a number of printers setup on workstations still pointing to the legacy print server.  As such they wanted to remove all printers deployed from the hostname of the legacy print server.

The following PowerShell script achieves this and can be easily deployed with Group Policy.  Simply replace "PRINTSERVER" with the name of your print server and then deploy the PowerShell script.

$PrintServer = "\\PRINTSERVER"
$Printers = Get-WmiObject -Class Win32_Printer
ForEach ($Printer in $Printers) {
If ($Printer.SystemName -like "$PrintServer") {
(New-Object -ComObject WScript.Network).RemovePrinterConnection($($Printer.Name))
}
}


 

Tuesday, September 15, 2015

Regaining Access to an SQL Instance

After a previous employee left an organisation, no one had access to an SQL Instance and the SA Password was unknown.  In this article I will show you how to regain access to an SQL Instance.

This process was performed in SQL Server 2012 Enterprise Edition by booting the SQL server into Single User Mode.

First stop the SQL service for which we need to recover the password.

Then start the service by entering a Start parameter of "-m" in the services window in Control Panel.


Next connect to the instance with SQLCMD.exe -S "SERVERNAME\Instance".

To grant sysadmin to a user or entire group such as Domain Admins, run the following command:

EXEC sp_addsrvrolemember 'DOMAIN\Domain Admins', 'sysadmin'; 
GO

Next run "quit" to close SQLCMD.


After this, remove the -m from the SQL Instance and start the instance normally.  Now anyone in the Domain Admins group will have sysadmin rights to the instance.  Login with a Domain Admin account and reset the SA password (provided your Instance is setup for Mixed authentication).


Enter the new password and click OK.


Thursday, September 10, 2015

Howto Decrypting an Active Directory Password

In this post I will show a tool which makes decrypting Active Directory passwords easy.  It is important to note decrypting highly secure passwords takes a long time and is not always achievable within a reasonable period of time based on the complexity of the password however I have had success recently using this product.

Find a Windows Computer where the user has logged into recently and has their password cached.  Next obtain the Network Password Recovery Wizard (NPRW) tool from:

http://www.passcape.com/network_password_recovery


After the tool simply use the GUI for performing the password encryption.  I found this video very helpful.

http://www.passcape.com/download/swf/nprw-domain-cached-passwords.swf

Wednesday, September 9, 2015

The SMTP availability of the Receive connector Default was low

In Exchange 2013 CU9 you may start seeing the following error message more often.

Log Name:      Application
Source:        MSExchangeTransport
Date:          10/09/2015 12:15:21 PM
Event ID:      1040
Task Category: SmtpReceive
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      CCEX2.toph.local
Description:
The SMTP availability of the Receive connector Default was low (98 percent) in the last 15 minutes.



This is due to a new Transport Agent introduced by CU9 called the System Probe Drop Smtp Agent - undocumented, but apparently responsible for dropping probe emails - which does not "drop the email" in a traditional sense, but removes all email recipients instead. Alas, this method of stopping an email from getting delivered has an adverse effect, namely the email still gets passed down the pipeline, but now with the recipient information destroyed.

This results in the email delivery failing only for the System Mailbox "probe drop" emails as shown in the following screenshot.


As a result, Event ID 1040 for the MSExchangeTransport service is logged saying that a small percentage of emails are failing.  These are generally the probe messages from Exchange 2013 CU9.

I do recommend you run the above Get-MessageTrackingLog command with an EventId of FAIL to determine that there is no other emails which have failed.