Category : Security/Compliane

Fix Cached Credentials over VPN

Ever had a remote user who uses a laptop outside of the company network and their cached credentials somehow do not work or have been lost from the cache? I recently faced this same issue and with a little advice from a colleague, I was able to successfully get the users credentials cached once again.

The way I was able to accomplish this was the fact that we had VPN setup, and since most companies have some sort of VPN for their users to access email and documents, we were able to use this to our advantage.

Essentially what I did was log onto the computer using the administrator cached credentials. Once in there I made sure the VPN connection was setup to point to my server at the main office, and I went ahead and logged in. Once in, I used a random application on the desktop (I think I used firefox), I right-clicked, and selected the run as option. When the dialogue came up, I used the end users credentials rather than my own. What this does is it will try to validate the user credentials with the domain controller because we are connected through the VPN.

Once this is done and the application opens, you can disconnect from the VPN, log off of the administrator account, and try logging on with the end user.

I was successful in my attempt and I hope you are too!

Removing Fake Microsoft Security Essentials

In today’s world of spyware, viruses, and malicious attacks, there are very few that have given me the thought that they could actually be real. Typically you get the one that pops up saying you have 95 viruses and that you need to pay to clean your system, which is an immediate red flag. Most of the time the spyware looks really fake, and by fake I mean they have no company name, or they just use a generic names like “Windows Security 2010,” and “Antivirus 2010.” I thought this always to be the case until just recently.

The call came in like any other, the user was describing that Microsoft Security Essentials had detected an infection and needs to be cleaned. I told the user to go ahead and click the clean option in Security Essentials and it will clean the file. When she did this, it said it could not be cleaned and the apply now button on the bottom changed to a “Scan Online” option.  It took me a second but I realized that I had never seen this option in security essentials ever before.

If you click on the Scan Online button, it will list a total of 35 antivirus programs, 30 of which are real and 5 which are rogue. The 5 rogue ones are:

  • Red Cross Antivirus
  • Peak Protection 2010
  • Pest Detector 4.1
  • Major Defense Kit
  • AntiSpySafeguard or AntiSpy Safeguard

When these are allowed on the system they will perform a fake virus scan and say you are infected. Each one is the same, but slightly different interfaces. They also block certain applications from running (ex. Internet explorer, Malwarebytes, etc…). Below are the steps I took to resolve my issue.

Removing fake Microsoft Security Essentials.

Because I was offsite, I had to remote into this particular computer from another PC on the network, but if you are in front of it you can use the same methodology. I immediately checked add/remove programs and Microsoft Security Essentials was not even installed!

I downloaded the process explorer tool (procexp.exe) from live.sysinternals.com on a separate machine and put it on a network share (you can put it on a usb drive if you are in front of the PC). You can also try Ctrl+Alt+Del if it will work because it did not work for me. I opened the network share on the infected PC and copied procexp.exe onto the computer and ran it. NOTE: It is not usually best practice to open network shares when infected with spyware or viruses as they sometimes spread via those means but I had no other choice.

Here I found the fix.exe file was running on the system and I killed the process. I noted the path of the fix.exe file that procexp.exe shows you:

Documents and Settings(username)Application Datafix.exe

I then went into windows explorer > tools > folder options > view and made sure show hidden files and folders was selected. I browsed to the folder listed above and removed the fix.exe file. While in there I also noticed another interesting file with a randomly generated name.

Documents and Settings(username)Application Datajsdfgs.bat

I opened this file with notepad and saw the code in the picture below. This looked very suspicious, so I removed this as well.

Note: This may/may not be related to the Fake Security Essentials

I then thought I had the issue resolved and opened IE which worked fine, but then when I tried running Malwarebytes to scan the system, it still would not start. This alerted me that there is still a bigger issue. I also tried doing Windows update and this would fail as well. I began looking at my internet connection settings and found that there were static IP addresses that had been put into my TCP/IP settings. I checked on the location of these IP address and they appeared to be coming from the Ukraine. I removed them from my internet connection settings and then Microsoft updates worked fine again.

I also loaded up the real Microsoft Security Essentials and ran a full scan where it found and removed a rootkit.

Win32/Alureon.H

Upon removing this file, Malwarebytes and all other antivirus/spyware scans worked properly.

And just for good measure I downloaded the Piriform ccleaner utility from  www.ccleaner.com and ran the cleaner utility to remove all temporary files. I also ran the Registry tool in the application as well to fix all broken links in the registry.

After the full completion of all the afore mentioned tasks, the computer was running great and had no issues.

NOTE: Some of the symptoms in these email such as the file with the randomly generated name, DNS pointint to the Ukraine, and the rootkit may not necessarily be on your computer. These were found on mine during the cleanup. They may have been their previously, that is why it is always good to do a full scan with a legitimate antivirus/spyware program. It is also recommended that you consult a trained professional or be fairly tech savvy before trying to accomplish this yourself.


The tools I used are listed below:

Process Explorer (procexp.exe)

www.live.sysinternals.com (you can download the full suite of tools here for FREE!)

Malwarebytes

http://www.malwarebytes.org/

ccleaner

www.ccleaner.com

PCI Compliance Software Examples – Expert Analysis of PCI Compliance Software | BVA IT Consulting Blog

I have had a few clients in the past few months look at software to manage their credit card transactions so that they could follow PCI Compliancy.  It has never been more important to have a cost effective advanced IT solutions in place to watch over the biggest threats to corporate data security and compliance. One solution that surfaced from a client here in the valley was from Quest Software called In Trust.

InTrust securely collects, stores, reports and alerts on event data from Windows, Unix & Linux systems, helping you comply with external regulations, internal policies, and security best practices.  InTrust helps organizations achieve regulatory compliance by auditing access to critical systems and detecting inappropriate or suspicious access-related events. With this specialty tool, you can collect, analyze, report, and generate automated real-time alerts for all relevant access-related events across your heterogeneous network.

Using this single solution to monitor access to critical systems on multiple platforms reduces the complexity of event log management, saves expensive storage administration costs, improves information assurance, mitigates risk, and helps to reduce cost and improve efficiency of security, operational and compliance reporting.  Another solution that was offered by another client was a software product from GFI called EventsManager or LANguard.  They have free trials for all of this products mentioned which is huge for tailored solutions.