CEL.XXIII.02.439

Nothing’s impossible, Impossible’s nothing

MENGATASI VIRUS MENGINFEKSI SELURUH JARINGAN KOMPUTER

Posted by Ardy Prasetyo on March 19, 2008

 
   
Banyak virus yang tersebar lewat jaringan komputer di warnet maupun kantor terutama akibat adanya akses internet. Satu komputer client saja yang terinfeksi, akan bisa menginfeksi seluruh jaringan komputer yang mungkin hingga ratusan. Apalagi setiap komputer client men-share file/folder akan lebih mudah terkena virus yang notabene selalu mencari peluang untuk mengandakan diri dan kemudian menyebar.

Simak cara mengatasinya dari Norman antivirus di bawah ini:

Stopping network share infectors

Many viruses today are share infectors. They infect open shares throughout the network. A single infected computer is capable of infecting hundreds of other machines.

It is a common scenario that many sites have open shares on their servers where all users has unlimited access. The intention of these shares is to provide an universal area where all users can exchange common files and information. Other scenarios include shares that are not intended for common purposes, but they are open due to lack of planning and security.
No matter the reason, these file shares are highly exposed to viruses like Pinfi and Funlove that have open file shares as a target for infection.

A share infector scenario:

The figure above illustrates an unprotected workstation (IP: 192.168.0.13) that is allowed to execute a file infected with the Pinfi virus. The infected workstation will propagate open file shares on computers in the network, look for files with .exe and .scr extension on these shares and then try to infect these files.

All servers in this situation are protected with updated antivirus software, which monitors the file system on the servers. An attempt to infect files on these shares will be detected and infected files are instantly cleaned.

The problem, however, is that the workstation is still infected and will re-infect the .exe and .scr files shortly after the antivirus software has performed the first clean operation. We now have an infect-clean-infect cycle that will go on forever unless something is being done with the original infection: the infected workstation.

Finding the source of the problem

In a large network with hundreds, even thousands of machines, it can be really hard to find this particular workstation. The Virus Alert message normally just points at the target file for the infection, which virus that was found, and what has been done to the file. There is obviously a need for some extra information to solve this problem.

One way of solving the problem is to use an external tool to monitor a file that is likely to be infected. To avoid too many changes on any of the original servers it may be a good idea to set up a new test machine in the network, create an open share on this machine, and place a copy the .exe file here. In the Pinfi case we know that .exe files are attractive targets to infect, and we copy the file calc.exe from the \Windows directory to the new file share. The calc.exe file is now a “bait” for the infector.

Before we connect the “bait” machine to the network, we need to install a “sniffer” program. We think Ethereal is a good alternative, but programs like Sniffer Pro and Etherpeek will do as well, but Ethereal can be downloaded free of charge. It contains a lot of functionality, so in this paper we will only cover functions relevant to solve this particular scenario.

Install Ethereal

You need two components:

1. Install and run the WinPCap driver that can be downloaded from winpcap.polito.it
2. Install and run Ethereal – can be downloaded from ethereal.com

NOTE: Although our experience with Ethereal is good, we do not support it, so you use it at your own risk.

Monitoring the activity on the network

When Ethereal is installed, make sure that the NVC’s On-access scanner is running on the machine, and start the NVC Utilities program where you open the Messages window.

Before you start monitoring the file, make sure that it gets infected by watching the virus alerts in the Messages window. If no virus alerts appear, then the bait does not work. Check again to make sure that the directory containing the bait really is shared, and that all users have full access to the share.

If this still does not work, you may need to install Ethereal on one of the servers where the infection originally appeared. Some share infectors just infect shares that were available upon start of the infected program. In such a case, find a file here to use as bait for the infection.

Now start Ethereal. We want to capture the activity that the machine receives via the network. But we only want to focus on activity related to the bait, which is the calc.exe test file.

n the lower left corner there is a field labelled Filter: In this field type the string:

smb.file contains “calc.exe”

Select the command Capture/Start and then click OK. The capture window appears. From now on watch the activity in the NVC Utilities’ Messages window. As soon as there is a new infection on our bait, close the Ethereal capture window. The log from the capture appears in the main window. Make sure that our filter is active by clicking Apply.

By watching the “Source” and “Destination” columns you should now be able to see the IP addresses used in manipulations of the calc.exe file. In our case the local address for our machine is 192.168.0.15. The other IP address involved in the transactions is 192.168.0.13.

Obviously a machine with the address 192.168.0.13 is the infector. You can now solve the problem by isolating it and then perform a complete On-demand scan supplied with the relevant fix(es).

Repeat the process to ensure that there are no other infectors in the network.

source: Norman antivirus

6 Responses to “MENGATASI VIRUS MENGINFEKSI SELURUH JARINGAN KOMPUTER”

  1. Ave Avrille said

    semoga virus sayh
    hanks yaa bis bener t

  2. O0n said

    Terjemahin Donk Mas, soalnya sama skali ga ngerti, dan kalo isa kirimin ke emailku, Plizzz

  3. Menghentikan jaringan berbagi infectors

    Many viruses today are share infectors. Banyak virus hari ini adalah saham infectors. They infect open shares throughout the network. Mereka menularkan membuka saham di seluruh jaringan. A single infected computer is capable of infecting hundreds of other machines. Satu komputer terinfeksi adalah mampu infecting ratusan mesin lain.

    It is a common scenario that many sites have open shares on their servers where all users has unlimited access. Ini merupakan skenario umum yang banyak membuka situs memiliki saham pada server di mana mereka semua pengguna memiliki akses tak terbatas. The intention of these shares is to provide an universal area where all users can exchange common files and information. Niat saham ini adalah untuk memberikan universal semua kawasan di mana pengguna dapat bertukar informasi dan file umum. Other scenarios include shares that are not intended for common purposes, but they are open due to lack of planning and security. Skenario lain termasuk saham yang tidak dirancang untuk kepentingan umum, tetapi mereka terbuka karena kurangnya perencanaan dan keamanan.
    No matter the reason, these file shares are highly exposed to viruses like Pinfi and Funlove that have open file shares as a target for infection. Tidak peduli alasan, file ini saham sangat terpapar virus seperti Pinfi dan Funlove yang telah membuka file saham sebagai target untuk infeksi.

    A share infector scenario: Sebagian infector skenario:

    The figure above illustrates an unprotected workstation (IP: 192.168.0.13) that is allowed to execute a file infected with the Pinfi virus. Angka di atas memperlihatkan sebuah workstation tidak dilindungi (IP: 192.168.0.13) yang diperbolehkan untuk menjalankan file dengan Pinfi terinfeksi virus. The infected workstation will propagate open file shares on computers in the network, look for files with .exe and .scr extension on these shares and then try to infect these files. Workstation yang terinfeksi akan menyebarkan membuka file saham pada komputer di jaringan, mencari file dengan. Exe dan. Ekstensi scr pada saham tersebut dan kemudian mencoba untuk menularkan file-file ini.

    All servers in this situation are protected with updated antivirus software, which monitors the file system on the servers. Semua server dalam situasi ini adalah dilindungi dengan update software antivirus, yang memonitor file sistem pada server. An attempt to infect files on these shares will be detected and infected files are instantly cleaned. Sebuah usaha untuk menularkan file pada saham tersebut akan terdeteksi terinfeksi dan file akan segera dibersihkan.

    The problem, however, is that the workstation is still infected and will re-infect the .exe and .scr files shortly after the antivirus software has performed the first clean operation. Masalahnya, bagaimanapun, adalah bahwa workstation masih terinfeksi dan akan kembali menular yang. Exe dan. Scr file segera setelah antivirus pertama telah melakukan operasi bersih. We now have an infect-clean-infect cycle that will go on forever unless something is being done with the original infection: the infected workstation. Kami sekarang memiliki menularkan-bersih-menularkan siklus yang akan pergi selamanya pada sesuatu kecuali sedang dilakukan dengan infeksi asli: workstation yang terinfeksi.

    Finding the source of the problem Menemukan sumber masalah

    In a large network with hundreds, even thousands of machines, it can be really hard to find this particular workstation. Dalam sebuah jaringan besar dengan ratusan, bahkan ribuan mesin, dapat benar-benar sulit untuk menemukan workstation khusus ini. The Virus Alert message normally just points at the target file for the infection, which virus that was found, and what has been done to the file. Virus Alert pesan biasanya hanya poin di file tujuan untuk infeksi, yang virus yang ditemukan, dan apa yang telah dilakukan untuk file. There is obviously a need for some extra information to solve this problem. Ada keperluan untuk beberapa informasi tambahan untuk menyelesaikan masalah ini.

    One way of solving the problem is to use an external tool to monitor a file that is likely to be infected. Salah satu cara memecahkan masalah adalah dengan menggunakan alat eksternal untuk memantau file yang kemungkinan dapat terinfeksi. To avoid too many changes on any of the original servers it may be a good idea to set up a new test machine in the network, create an open share on this machine, and place a copy the .exe file here. Untuk menghindari terlalu banyak perubahan pada salah satu server asli mungkin ide yang baik untuk menyelenggarakan tes mesin baru dalam jaringan, membuat terbuka berbagi pada mesin ini, dan menempatkan menyalin file. Exe di sini. In the Pinfi case we know that .exe files are attractive targets to infect, and we copy the file calc.exe from the \Windows directory to the new file share. Dalam kasus Pinfi kita tahu bahwa. Exe yang menarik untuk menularkan sasaran, dan kami menyalin file dari calc.exe \ Windows direktori untuk berbagi file baru. The calc.exe file is now a “bait” for the infector. Calc.exe file yang kini menjadi “umpan” untuk infector.

    Before we connect the “bait” machine to the network, we need to install a “sniffer” program. Sebelum kita menghubungkan “umpan” mesin ke jaringan, kita perlu menginstal sebuah “sapu tangan” program. We think Ethereal is a good alternative, but programs like Sniffer Pro and Etherpeek will do as well, but Ethereal can be downloaded free of charge. Kami berpikir Ethereal merupakan alternatif yang baik, tetapi program seperti sapu tangan dan Pro Etherpeek akan lakukan juga, tetapi Ethereal dapat didownload secara gratis. It contains a lot of functionality, so in this paper we will only cover functions relevant to solve this particular scenario. Ini berisi banyak fungsi, sehingga dalam makalah ini kami hanya akan mencakup fungsi yang relevan untuk memecahkan khusus ini skenario.

    Install Ethereal Install Ethereal

    You need two components: Anda perlu dua komponen:

    1. +1. Install and run the WinPCap driver that can be downloaded from winpcap.polito.it Install dan menjalankan WinPCap driver yang dapat di-download dari winpcap.polito.it
    2. +2. Install and run Ethereal – can be downloaded from ethereal.com Install dan menjalankan Ethereal – dapat di-download dari ethereal.com

    NOTE: Although our experience with Ethereal is good, we do not support it, so you use it at your own risk. CATATAN: Meskipun pengalaman kami dengan Ethereal adalah baik, kami tidak mendukungnya, sehingga Anda menggunakannya risiko Anda sendiri.

    Monitoring the activity on the network Memantau kegiatan pada jaringan

    When Ethereal is installed, make sure that the NVC’s On-access scanner is running on the machine, and start the NVC Utilities program where you open the Messages window. Ketika Ethereal terinstal, pastikan bahwa NVC’s On-akses scanner dijalankan pada mesin, dan memulai NVC Utilitas program dimana anda membuka jendela Pesan.

    Before you start monitoring the file, make sure that it gets infected by watching the virus alerts in the Messages window. Sebelum Anda mulai pemantauan file, pastikan bahwa mendapat menonton terinfeksi oleh virus alert di Pesan jendela. If no virus alerts appear, then the bait does not work. Jika tidak ada virus alert muncul, maka umpan tidak bekerja. Check again to make sure that the directory containing the bait really is shared, and that all users have full access to the share. Periksa kembali untuk memastikan bahwa direktori yang berisi umpan benar-benar digunakan bersama-sama, dan bahwa semua pengguna memiliki akses penuh ke saham.

    If this still does not work, you may need to install Ethereal on one of the servers where the infection originally appeared. Jika ini masih tidak berfungsi, Anda mungkin perlu memasang Ethereal pada salah satu server dimana infeksi awalnya muncul. Some share infectors just infect shares that were available upon start of the infected program. Beberapa berbagi infectors hanya menularkan saham yang tersedia pada awal dari program terinfeksi. In such a case, find a file here to use as bait for the infection. Dalam kasus lain, mencari file di sini untuk digunakan sebagai umpan untuk infeksi.

    Now start Ethereal. Sekarang mulai Ethereal. We want to capture the activity that the machine receives via the network. Kami ingin mendapatkan kegiatan yang mesin diterima melalui jaringan. But we only want to focus on activity related to the bait, which is the calc.exe test file. Tetapi kami hanya ingin fokus pada kegiatan yang berkaitan dengan umpan, yang merupakan calc.exe tes file.

    n the lower left corner there is a field labelled Filter: In this field type the string: n di pojok kiri bawah ada lapangan label Filter: Dalam bidang ini ketik string:

    smb.file contains “calc.exe” smb.file berisi “calc.exe”

    Select the command Capture/Start and then click OK. Pilih perintah Capture / Start dan kemudian klik OK. The capture window appears. Ambil jendela yang muncul. From now on watch the activity in the NVC Utilities’ Messages window. Mulai sekarang menonton kegiatan di NVC Utilitas’ Pesan jendela. As soon as there is a new infection on our bait, close the Ethereal capture window. Segera setelah ada infeksi baru pada kami umpan, menutup jendela Ethereal ambil. The log from the capture appears in the main window. Log dari ambil muncul di jendela utama. Make sure that our filter is active by clicking Apply. Pastikan bahwa kami filter aktif dengan mengklik Terapkan.

    By watching the “Source” and “Destination” columns you should now be able to see the IP addresses used in manipulations of the calc.exe file. Dengan menonton “Sumber” dan “Tujuan” kolom sekarang Anda harus dapat melihat alamat IP yang digunakan dalam manipulasi dari calc.exe file. In our case the local address for our machine is 192.168.0.15. Dalam kasus kami setempat untuk alamat komputer kita adalah 192.168.0.15. The other IP address involved in the transactions is 192.168.0.13. Alamat IP lain yang terlibat dalam transaksi adalah 192.168.0.13.

    Obviously a machine with the address 192.168.0.13 is the infector. Jelas suatu mesin dengan alamat 192.168.0.13 adalah infector. You can now solve the problem by isolating it and then perform a complete On-demand scan supplied with the relevant fix(es). Anda sekarang dapat menyelesaikan masalah ini dengan isolating dan kemudian melakukan lengkap Aktif-permintaan memindai relevan disertakan dengan memperbaiki (es).

    Repeat the process to ensure that there are no other infectors in the network. Ulangi proses untuk memastikan bahwa tidak ada infectors lain dalam jaringan.

    source: Norman antivirus sumber: Norman antivirus

  4. hartono said

    bagimana caranya download VNC Norman Scan network (Link nya mana) tolong di email ke saya Hartono_bs@yahoo.com trim

  5. popcornish said

    wew…your’e the best…..

  6. manjat said

    terimakasih banyak infonya.,., mantabs.,., untuk info motogp mampir kesini aja ya : http://motogp.unsri.ac.id/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: