Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
750 Views 2 Replies Latest reply: Feb 15, 2013 4:01 AM by igfloz RSS
igfloz Newcomer 2 posts since
Feb 12, 2013
Currently Being Moderated

Feb 12, 2013 5:47 PM

Backdoor: Acid Battery (false positive) ?

Recently upgraded a solo NSM to V7.5 and applied relevant updates to a number of  I-1200/1400 and M-1250 IDS devices on our network.

My IDS devices are configured "In Line"

My estate OS updates are managed by a WSUS server. All workstations are AV managed by an ePO server and up to date.

 

I have recently seen "BACKDOOR: ACID BATTERY" Trojan as a threat  - source= 4 different workstations, destination = my WSUS Server.

I am seeing this "threat" on only one of the IDS devices  (all source PC's are passing traffic through the one IDS)

 

Google  shows that Mcafee lists acid battery as Backdoor-DE, but I cannot find much information specific to Mcafee on how to remove , or anything regarding "acid battery trojan" as a matter of fact !

 

I have wiresharked the source pc's and captured packets, but all packets seem to show benign WSUS update characteristics.

i.e port activity for WSUS port is 8530, not the internet described acid battery port of 32418

Source workstations have been scanned with McAfee Virusscan 8.8 with no result.


So

 

My question or discussion is.............

 

Is the Acid Battery threat a possible false positive ? how do I tell ?

Does the detection engine work effectively with WSUS update traffic ?

Do Mcafee have a known fix / removal method for Backdoor: Acid Battery trojan ?

 

P.S. - The reporting IDS device policy is "IDS", not "IPS" - might that have something to do with it ?

 

Any help or further questions would be most beneficial to me

  • barnaby_h Newcomer 3 posts since
    Feb 12, 2013
    Currently Being Moderated
    1. Feb 14, 2013 6:19 PM (in response to igfloz)
    Re: Backdoor: Acid Battery (false positive) ?

    Hi,

     

    Looking at the signature definition

     

    

    Signature #1:

    This signature matches against one or more of the following strings:

    "CDTRAY"

    "FLASH-COLORS"

    "clLime"

    "clGreen"

    and non-string signature(s)

     

    Signature #2:

    This signature matches against one or more of the following strings:

    "^CDTRAY"

    "^FLASH-COLORS"

    "^clLime"

    "^clGreen"

     

    If you can find any of them in your traffic capture, that might explain why its firing (the non-string signatures part doesnt help us much). It doesnt look like the strongest signature I've seen.

     

    The content for this attack appears to have been updated in 2004 so this is some pretty old malware and, if you have an antivirus installed on each of the boxes, you would hope that catches it.

     

    For this to be the real acid battery, someone would have had to compromise all 4 workstations and, provided you are happy enough to rule out the insider threat, be issuing command and control (C&C) instructions from beyond your network. Depending on how your network is configured, these machines would probably have to beacon out to the C&C domain which may raise alerts and be an additional thing to look for. Additionally, if the alert always appears when there is an update being pushed, this might be another pointer to fale positive.

     

    Without looking at the traffic its difficult to be sure, but it sounds like a false pos.

     

    I couldnt find anything relating to tell tale registry entries from a quick google but if the AV doesnt catch this, given its age, ..... I would be shocked.

     

    The IDS policy will only mean the traffic isnt blocked by the device (unless you have made custom mods). If you apply an IPS policy, and the attack is recommended for smart blocking, the device will block the traffic.

     

    Hope that helps.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points