0

Something on the server is automatically adding Deny rules on port 445 and a couple other ports. The rules are appearing in the Firewall and IP Security policies. They are blocking network and printer sharing.

I have tried renaming, disabling, deleting the rules/policies but they come back on their own.

I have done virus scans on 3 different AV programs (Windows Defender, Kaspersky, Malwarebytes) and they have come back clean. I've uninstalled ALL unnecessary programs. I have check ALL scheduled tasks, and they are appropriate. I have checked ALL startup tasks (Startup folder and registry run/runonce), nothing in them. There are no GPO's set. No VNC/RDP services, so it's not someone doing it manually.

I've been able to stop the rules/policies automatically being added by setting the Permission in the registry folders of the Firewall rules and IP Sec policies to (Everyone to Deny creating/changing/deleting).

How can I pinpoint what is setting these rules/policies?!? The event viewer simply says the Local Service user used netsh to create the rules, but no details on where netsh was called. Nothing in the even viewer about IP Sec policies, but I've recently enable auditing, but nothing in there helps.

Greg
  • 31
  • 6

1 Answers1

-1

Are you patched for MS17-010? Are you running Server 2003?

-- My TG team got back to me again, I wanted to pass on their info. The URL is now defunct so they were not able to get access to the msi.

" The DLL is the “adylkuzz” Monero cryptocurrency miner. It is being delivered using MS17-010 EternalBlue/DoublePulsar.

Once installed it modifies the host firewall to block port 445 and prevent further exploitation attempts. It installs itself as a Windows service under the name “WLEM”, with the binary in c:\Windows\Fonts\wuauserv.exe

Next it tries to determine the host IP by contacting the public icanhazip.com site. DNS requests are made for C2 host “08.super5566[.]com”.

The crypto miner is downloaded from C2 and stored as c:\windows\fonts\msiexev.exe. The Miner is then invoked using the following command:

“-a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -p x -u 42hDr4Lh2QbiLxrZbRZVmxgKGkMaSKWHSfTG6cBHb3yZ8NNEMuZKta74FqMvejvejyhvyT8C8pXY1TqpRS4czWvf744JjqP”

Several exceptions are added to the Windows firewall for other binaries:

0x3ed5f8 (138): netsh advfirewall firewall add rule name="Windriver" dir=in program="%PROGRAMFILES%\Hardware Driver Management\windriver.exe" action=allow 0x3ed698 (131): netsh advfirewall firewall add rule name="Chrome" dir=in program="%PROGRAMFILES%\Google\Chrome\Application\chrome.txt" action=allow

Other than the mining of cryptocurrency, this sample doesn’t appear to do much else.

Brad
  • 1