Virus that tries to brute force attack Active Directory users (in alphabetical order)?
Posted
by Nate Pinchot
on Server Fault
See other posts from Server Fault
or by Nate Pinchot
Published on 2010-03-17T22:48:01Z
Indexed on
2010/03/17
22:51 UTC
Read the original article
Hit count: 762
Users started complaining about slow network speed so I fired up Wireshark. Did some checking and found many PCs sending packets similar to the following: (screenshot) http://imgur.com/45VlI.png
I blurred out the text for the username, computer name and domain name (since it matches the internet domain name). Computers are spamming the Active Directory servers trying to brute force hack passwords. It will start with Administrator and go down the list of users in alphabetical order. Physically going to the PC finds no one anywhere near it and this behavior is spread across the network so it appears to be a virus of some sort. Scanning computers which have been caught spamming the server with Malwarebytes, Super Antispyware and BitDefender (this is the antivirus the client has) yields no results.
This is an enterprise network with about 2500 PCs so doing a rebuild is not a favorable option. My next step is to contact BitDefender to see what help they can provide.
Has anybody seen anything like this or have any ideas what it could possibly be?
© Server Fault or respective owner