I typed up the following response to Tony's initial email, and then before sending noticed that John had already replied with a VERY similar message. Here's my copied verbiage (below) for added measure.
I'll also piggyback on something John stated that I didn't in my original text. John said "no solution is 100% effective". Agreed in full. That's where practice with and usage of multiple tools (hopefully free ones for the most part) can help. In small environments or where you have suspicions that a machine is infected you can do manual analysis, which may reveal brand new malware that no tool is currently picking up. And defense-in-depth is always a good plan. Anyway here's my original response:

I'm not professionally endorsing any products, but I'll state that MalwareBytes (free or Pro version) should be able to detect (and eradicate) those trojans, without impacting your production machines (beyond the need for a quick reboot in some cases to complete the cleanup job). You can postpone the reboot (where required).

There absolutely are other products (i.e., ComboFix) that will render your production machines completely unusable while scanning, which is obviously what you're hoping to avoid.

Then there are network-based products which detect and report on; suspect Internet connections to/from botnet C&C servers, as well as the download of trojan keystroke loggers, rootkits, and etc. Those could alert to the presence of such malware along with the infected production machine identification. Again, not endorsing any products, but (if you have some budget and work cycles to spare) you can look at things like; FireEye, TMS (Trend), WildFire (Palo Alto), MetaFlows, etc, etc.

Peace,
Vic
(lifetime malware hater)

----- Original Message -----
From: "John Hebert" <jhebert (at) bizdps (dot) com [email concealed]>
To: "ricky rap28" <ricky.rap28 (at) gmail (dot) com [email concealed]>, listbounce (at) securityfocus (dot) com [email concealed], "Tony" <xnikod (at) gmail (dot) com [email concealed]>, security-basics (at) securityfocus (dot) com [email concealed]
Sent: Wednesday, July 18, 2012 1:31:20 PM
Subject: RE: Malware detection

> -----Original Message-----
> From: ricky alwi [mailto:ricky.rap28 (at) gmail (dot) com [email concealed]]
> Sent: Wednesday, July 18, 2012 1:03 PM
> To: John Hebert; listbounce (at) securityfocus (dot) com [email concealed]; Tony; security-
> basics (at) securityfocus (dot) com [email concealed]
> Subject: Re: Malware detection
>
> John Hebert
>
> What if the system is using windows server 2003 R2? My office using this
> system

Keeping in mind that the "best" solution changes as technology changes, and that no solution is 100% effective(other than a reformat of a computer), try to find one that's consistently a top performer and doesn't have a reputation for slowing down the computer. Most vendors offer free trials, and I'd highly recommend making use of those options to find one that works well with your business applications. What works for one company may or may not work as well for another.

My recommendation would be to look at Kaspersky. It detects not only existing malware that might be on the computer, but works to fight infections as/before they happen. If you're looking for something to inspect on-demand, take a look at MalwareBytes. You may be familiar with their free tool, but they have corporate licensing available as well.

That being said, it's really only part of the equation. The trojans do need to communicate with someone, somewhere, so having some sort of network traffic filtering and monitoring in place to look for odd behavior should be a to-do item. That way, even if one of your systems becomes infected, it's an extra check in place to notice and hopefully prevent it from communicating with the control server(s).

>
> Thx before.
>
> Regards,
>
> Ricky
> Sent from my BlackBerry(r) via Smart 1x / EVDO Network.
> Smart.Hebat.Hemat.

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]