Want rootkit-level access without the hassle? Enter, LightNeuron for Exchange Server A recently uncovered malware infection uses the basic functions of Microsoft's Exchange Server to remotely monitor and control computer systems. Researchers at ESET said this week the software nasty, known as LightNeuron, is particularly difficult for admins to detect as it takes advantage of legitimate components within …
5.1 Cleaning
The cleaning of LightNeuron is not an easy task. Simply removing the two malicious files will break
Microsoft Exchange, preventing everybody in the organization from sending and receiving emails.
Note to other AV vendors: before adding a detection for the Transport Agent files, be aware that doing
so without a proper cleaning routine will render your infected customer’s exchange servers inoperable,
so proceed with caution.
Before actually removing the files, the malicious Transport Agent should be disabled.
First, open <ExchangeInstallFolder>\TransportRoles\Agents\agents.config and check every DLL.
All of the genuine Transport Agents should be signed either by Microsoft a trusted software vendor. Theagents.config file should be similar to Figure 31.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<mexRuntime>
<monitoring>
<agentExecution timeLimitInMilliseconds="90000" />
</monitoring>
<agentList>
[...]
<agent name="Security Interop Agent"
baseType="Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent"
classFactory="Microsoft.Exchange.Security.Interop.
SecurityInteropAgentFactory"
assemblyPath="c:\program files\microsoft\Exchange Server\v15\bin\
Microsoft.Exchange.Security.Interop.dll"
enabled="true"
IsCritical="true" />
<agent name="Content Filter Agent"
baseType="Microsoft.Exchange.Data.Transport.Routing.RoutingAgent"
classFactory="Microsoft.Exchange.Security.Interop.
ContentFilterAgentFactory"
assemblyPath="c:\program files\microsoft\Exchange Server\v15\bin\
Microsoft.Exchange.Security.Interop.dll"
enabled="true"
IsCritical="true" />
</agentList>
<settings />
</mexRuntime>
</configuration>
Figure 31 // agents.config example
In that example, the malicious DLL is Microsoft.Exchange.Security.Interop.dll and two related
Transport Agents are registered:
• Security Interop Agent (called <name1> in the following explanations)
• Content Filter Agent (called <name2> in the following explanations)
Then, on the Exchange server, execute the following PowerShell commands with admin rights:
Disable-TransportAgent -Identity <name1>
Disable-TransportAgent -Identity <name2>
Uninstall-TransportAgent -Identity <name1>
Uninstall-TransportAgent -Identity <name2>
The malicious Transport Agents are now disabled. After that, it is possible to remove the two malicious files without breaking Microsoft Exchange.
If you do not plan to re-install the mail server, an important last step is to modify the passwords
of all accounts that have administrative rights on the compromised server. Otherwise, attackers could access the server again to compromise it again.
oh look a farting rainbow unicorn in the corner!
Good luck getting that on said agreed by other adms. Fantastic idea, it genuinely is, likely?
Nope, reasoning will go along the lines of, I know what i am doing, I have <insert pre21st century lotus cert>
we all know or have at least one in our direct team right? the same one that insists UAC just gets in the way and doesn't "work quite right" mantra :D
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
