Virus that tries to brute force attack Active Directory users (in alphabetical order)?
Users started complaining about slow network speed so I fired up Wireshark. Did some checking and found many PCs sending packets similar to the following (screenshot):
I blurred out the text for the username, computer name and domain name (since it matches the internet domain name). Computers are spamming the Active Directory servers trying to brute force hack passwords. It will start with Administrator and go down the list of users in alphabetical order. Physically going to the PC finds no one anywhere near it and this behavior is spread across the network so it appears to be a virus of some sort. Scanning computers which have been caught spamming the server with Malwarebytes, Super Antispyware and BitDefender (this is the antivirus the client has) yields no results.
This is an enterprise network with about 2500 PCs so doing a rebuild is not a favorable option. My next step is to contact BitDefender to see what help they can provide.
Has anybody seen anything like this or have any ideas what it could possibly be?
Sorry, I've no idea what this is, however, you have more important issues right now.
How many machines are doing this? Have you disconnected them all from the network? (and if not, why not?)
Can you find an evidence of any domain accounts being compromised (especially domain admin accounts)
I can understand you not wanting to build your desktops again, but unless you do, you can't be sure you'll clean the machines.
First steps:
- Ensure complex passwords are enabled on your domain
- set a lock out policy - this will cause you problems if you still have scanning machines but this is better than more accounts being compromised
- Isolate a known bad machine, is it trying to talk to the outside world? You need to block this across your network at your gateway
- Attempt to isolate all known bad machines.
- Monitor for more scanning machines.
- Force all your users to change their password, check all your service accounts.
- Disable any accounts no longer in use.
- Check your group memberships on servers and DCs (Domain Admins, Administrators, etc)
Next you need to perform some forensics on your known bad machines to try and trace what has happened. Once you know this, you stand a better chance of knowing what the scope of this attack is. Use root kit revealer, perhaps even image the hard disk before you destroy any evidence. Linux Live CDs with NTFS support can be very useful here, as they should allow you to find what a root kit could be hiding.
Things to consider:
- Do you have a standard local admin (weak) password on all the workstations?
- Do your users have admin rights?
- Are all domain admins using separate accounts for DA activities? Consider setting restrictions on these accounts (e.g. workstations you can log on to).
- You don't give any info about your network. Do you have any publicly exposed services?
Edit: Trying to give more info is difficult, as it really depends upon what you find, but having been in a similar situation several years ago, you really need to distrust everything, especially machines and accounts that you know to be compromised.
It could be anything from L0phtCrack to THC-Hydra or even a custom-coded application, though your AV solution should have picked up the well-known apps.
At this point, you need to identify all the systems infected, quarantine them (vlan, etc), and contain and eradicate the malware.
Have you contacted your I.T. Security team yet?
Finally, I understand you not wanting to rebuild, but at this point, (with the little data you have given), I would say that the risk warrants rebuilds.
-Josh