Search This Blog

Tuesday 28 August 2012

Malware - Shortcuts in Mapped Drives

We had a malware recently that manifests itself in creating shortcuts in mapped network drives and then hides all the real files in the drive and leaves only fake shortcuts in their place. This is our understanding of the malware and what it does and how to stop it.

Malware on users computer

media_1346155289220.png

When we checked the users computer that had first reported the shortcuts appearing in their mapped network drives we used several Anti Virus providers to scan the disk and all of them returned no malware found. So we turned to the trusted AutoRuns application that shows you everything that runs on start up on your computer and this found the pictured file. What we have here is an EXE that exploits a Flash Plater vunerability and then installs into the users AppData folder so that it has the necessary permissions to execute. Now in this example I have obsfucated the actual URL of the site that has the Flash exploit installed, but the malware leaves the URL in the folder structure so you can see the site that caused the drive by download.

The location is C:\users\%username%\appdata\roaming\macromedia\flash player\#sharedobjects\girh2t5n\www.urlofsite.co.uk\ptvflash\flii\slui.exe

Malware Payload

media_1346155390474.png

The malware itself when executed will create a file called thumbs.dbh in each mapped drive and then execute itself to create the shortcuts and hide the real files by changing the attributes.

Thumbs.dbh

media_1346155396225.png

Now a big part of the issue with this malware is how to stop it while you check each computer and patch Flash Player, what we did was to create our own file called thumbs.dbh in the root of each mapped drive and then set the permissions to deny to all users. What this does is allow the malware to think it can work and it tries to call the thumbs.dbh file each time is deploys, but it fails because the file has deny access to everyone. This means the malware is active but cannot deploy the payload and therefore you have time to update Flash Player, Java and Windows Updates and then once all computers are updated you can remove the original malware in AppData and then fake thumbs.dbh file that we created.

Friday 24 August 2012

Event Log Error - Event ID 675 Security Authentication Failures

I noticed on our GFI RM Monitoring that we had a number of Security Logon Failures on one of our Windows 2003 Domain Controllers.

Event ID Failure

media_1345792751724.png

This is caused by Windows Vista and Windows 7 Computers sending their Kerberos authentication in AES 128/256 encryption and Windows 2003 Server does not support this method on encryption so it sends a message back to the computer to ask for the encryptio nmethod it does support. The highest Windows 2003 can support is RC4-HMAC and so this event ID 675 is logged to show this process.

You can get rid of this by adding a registry key to each Windows Vista and Windows 7 computer but I would recommend looking to upgrade to Windows 2008 R2 Domain Controllers as a good long term solution.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Name: DefaultEncryptionType
Type: REG_DWORD
Value: 23 (dec) or 0x17 (hex)

Wednesday 22 August 2012

GFI Remote Management - How to log a support ticket

If you have problems with any of the GFI Remote Management or any of the applications you can contact the helpdesk from the console.

Request Help

media_1345642241117.png

From the Help Menu you choose Request Help

Submit a Support Ticket

media_1345642251435.png

You can now submit a support ticket to GFI which contains all the information on the issue you have.

GFI Remote Management - Cannot install Managed Anti Virus application

When trying to deploy Managed Anti Virus to a computer that had Symantec Anti Virus installed you may find that the application will not install because a component of Symantec is still left in the registry although tthe application is uninstalled.

Registry Keys

media_1345641963778.png

The keys that need to be removed are the SharedDefs key in the registry in the HKLM\SOFTWARE\SYMANTEC location.

Install Ready

media_1345642096119.png

Once this is complete you can then rerun the 24/7 checks and you will see that the Managed Anti Virus application will now install.

Wednesday 8 August 2012

Sharepoint 2010 - User cannot delete a Site or Workspace

If you are running Sharepoint 2010 and you find you cannot delete a site or a workspace, then this could the problem you have. The Site needs to upgrade the content database and this has not been completed yet so the site is not allowed to be completed.

Error when deleting a Site

media_1344424432614.png

When you try to delete a site this is the error displayed.

Content Database

media_1344424530474.png

The Sharepoint Content Database will not have been upgraded since SP1 was installed and so you cannot rmeove any sites until this is complete.

Upgrade Content Database

media_1344424535625.png

By using the Get-SPContentDatabase cmdlet and then passing this to the Upgrade-SPContentDatabase cmdlet we can pipe the upgrade for every database. I have used the -WhatIf to show what would happen if I ran the cmdlet to make sure I know that the results will be.

Upgrade the Database

media_1344424540726.png

When you choose to upgrade the database you will see the progress and then when you choose to delete a site you will be able to do so.

Thursday 2 August 2012

Remote Desktop Licence Server Migration

You can migrate Remote Desktop Licences in Windows 2008 R2 Server, so you no longer have to call the Microsoft Clearing House to move your CALS.

Open RD Licensing Manager

media_1343893161561.png

Logon to your new Licencing Server and run RD Licensing Manager and right click the licencing server, choose Manage Licences.

Manage Licences Wizard

media_1343893168272.png

The Manage Licences Wizard will start.

Choose MIgrate Licences

media_1343893182076.png

Choose the option to migrate licences and the reason for the migration.

Source Licence Server

media_1343893194698.png

Specifiy the name or IP of the Source Licence Server.

Existing Licence Type

media_1343893245802.png

The existing licence type should not be displayed, in my case I had a pack of 5 Retail Licences.

Add Licence Details

media_1343893331419.png

This screen willl depend on your licence type, in this case I had to re enter the Retail Licence Product Key.

Wizard Authorises Licences

media_1343893336366.png

The wizard will now migrate the licences

Migration Complete

media_1343893342702.png

The wizard has completed the migration and there was no need to call up and have a chat with an automated machine.

Wednesday 1 August 2012

Xenapp - Server is too busy to accept connections gotcha!

I built a new XenApp 6.0 Fundamentals Server for a customer and had everything setup as I wanted but I could not establish a connection to the server, each time it failed and in the event log was the error that the Citrix Server was too busy to accept connections.

I used the qfarm /load command and I could see a load of 20000, this will result in connections being refused.  I spent a while Googling on this and couldn't get to the root of it until I found this Citrix KB Article and realised I had not enabled Remote Desktop Connections to the server.  Doh!

Vmware Converter - Converting a Computer fails with the error "Unable to start the change tracking driver"

This issue is outlined in this Vmware KB article

Vmware Converter Error

media_1343845478572.png

When you try to convert the computer and you have selected to Synchronise Changes the error is displayed.

Disable UAC

media_1343845500046.png

The problem is caused because the converter tries to change the UAC policy.

Turn off UAC

media_1343845511521.png

By turning off the UAC you can convert the computer and then switch this back on. Once you have changed this you will need to reboot for this to take effect.

Restart Conversion

media_1343845882734.png

Now your conversion will run correctly and get past the 1% stage.