topic Re: Threat identification & removal? [Virus/Win32.slugin.iyz(2385375)] in General Topics

Threat identification & removal? [Virus/Win32.slugin.iyz(2385375)]

Terina — Tue, 12 Jul 2011 14:53:56 GMT

I'm hoping someone can help me with a threat detected by my PA500 (details below).

I recently found entries in my Threat logs suggesting an SSL-VPN user was malware compromised. Upon closer inspection, I cannot determine exactly the nature of the threat, nor how to detect/remove the threat from the client machine. I'm hoping this is not a false positive identifying a normal function as malware.(GoogleToolbarInstaller_updater_signed.exe)

I'm not finding answers in Palo Alto's Threat database, nor in the Knowledgebase. But maybe someone here has some experience or insight regarding this threat? I'd appreciate some help, thanks!

How real is this "virus"? (I can't find detailed descriptions on PaloAlto, let alone other sources)

How do I remove the infection?

Is this expected behavior from GoogleToolbarInstaller updater?

Why is this "bad"?

Domain

Receive Time

Serial #

Type

Threat/Content Type

Config Version

Generate Time

Source address

Destination address

NAT Source IP

NAT Destination IP

Rule

Source User

Destination User

Application

Virtual System

Source Zone

Destination Zone

Inbound Interface

Outbound Interface

Log Action

Time Logged

Session ID

Repeat Count

Source Port

Destination Port

NAT Source Port

NAT Destination Port

Flags

IP Protocol

Action

URL

Threat/Content Name

Category

Severity

Direction

08-07-11 06:30

0006C1xxxxxx

THREAT

virus

08-07-11 06:30

173.194.24.83

172.16.1.1

173.194.24.83

71.180.xxx.xxx

rule1

rmanik

web-browsing

vsys1

L3-untrust

SSL-VPN

tunnel.1

ethernet1/5

08-07-11 06:30

50509

49797

55650

0x400000

tcp

deny

GoogleToolbarInstaller_updater_signed.exe

Virus/Win32.slugin.iyz(2385375)

any

medium

server-to-client

Palo Alto Threat Database 3.1 yields the following description:

Virus/Win32.slugin.iyz (2385375)

Attack Name Worm/W32.generic.fklrm Description Threat ID 2385375

The log detail is as follows:

Log Details

Time
Generate Time: 2011/07/08 06:30:32
Receive Time: 2011/07/08 06:30:37

General
Session ID: 50509
Threat/Content Name: Virus/Win32.slugin.iyz
Threat/Content Type: virus
Action: deny
Severity: medium
Application: web-browsing
IP Protocol: tcp
Rule: rule1
Log Action:
Category: any
Repeat Count 2
Virtual System: vsysl
Misc: GoogleToolbarInstaller_updater_signed.exe
Device: 0006C1xxxxxx (myPa500Serial)

Misc
Captive Portal:
Proxy Transaction:
Decrypted:
Packet Capture:
Direction: server-to-client

Source
Source User:
Source address: 173.194.24.83
Source Port: 80
Source Zone: L3-untrust
Inbound Interface: tunnel.1
NAT Source IP 173.194.24.83
NAT Source Port: 80

Destination
Destination User: rmanik
Destination address: 172.16.1.1
Destination Port: 49797
Destination Zone: SSL-VPN
Outbound Interface: ethernetl/5
NAT Destination IP: 71.180.xxx.xxx (myExternalPublicIp)
NAT Destination Port: 55650

Receive Time   log     Type Application Action Rule   Bytes Pkts Severity Category URL
07/08 06:30:37 threat virus web-browsing deny   rulel              medium   any      GoogleToolbarInstaller_updater_signed.exe
07/08 06:32:02 traffic end   web-browsing allow rule I 12,354 15

My PA500:

Software version	4.0.2
SSL-VPN Client	1.3.0
GlobalProtect Client	0.0.0
Application version	255-1051
Threat version	254-1048
Antivirus version	515-673
URL Filtering version	3637
GlobalProtect datafile version	0

Re: Threat identification & removal? [Virus/Win32.slugin.iyz(2385375)]

cshep — Tue, 12 Jul 2011 17:36:15 GMT

Terina - We've had several downloads of the GoogleToolbarInstaller_updater_signed.exe blocked by the same Threat ID 2385375. Suspecting that it might be a false positive, I opened a case on July 5th. It is still being researched. -Craig

Re: Threat identification & removal? [Virus/Win32.slugin.iyz(2385375)]

migration — Thu, 03 Nov 2011 14:11:14 GMT

Curious if there has been any movement on this issue. I am seeing this alot now on our PA500 classified as Trojan/Win32.patched.ocmj(2569370). It seems to be associated with the Google-Update application.

Re: Threat identification & removal? [Virus/Win32.slugin.iyz(2385375)]

gswcowboy — Thu, 03 Nov 2011 16:35:18 GMT

Hi mwaters31

I would open up a case with Support that includes the following:

1) Pcap of the threat

2) Output from the command >show system info

3) A snapshot of the threat via the threat log

We'll investigate promptly and provide a bug fix if it's deemed as a false positive.

Re: Threat identification & removal? [Virus/Win32.slugin.iyz(2385375)]

frank_henry — Thu, 10 Nov 2011 17:26:25 GMT

+1. I'd like to see the Threat Details include a MD5 Checksum so we may look at virustotal ourselves. Perhaps this will be possible with Wildfire?

Re: Threat identification & removal? [Virus/Win32.slugin.iyz(2385375)]

sschulman — Wed, 30 Nov 2011 15:59:08 GMT

Hello. I was wondering if there has been any updates to whether this is a legit threat or false positive?

Re: Threat identification & removal? [Virus/Win32.slugin.iyz(2385375)]

migration — Thu, 01 Dec 2011 15:34:06 GMT

According to the Tech Support working on the case I opened, a bug was found and was subsequently fixed in virus definition version 605.