back to article Want rootkit-level access without the hassle? Enter, LightNeuron for Exchange Server

A recently uncovered malware infection uses the basic functions of Microsoft's Exchange Server to remotely monitor and control computer systems. Researchers at ESET said this week the software nasty, known as LightNeuron, is particularly difficult for admins to detect as it takes advantage of legitimate components within …

  1. Anonymous Coward
    Anonymous Coward

    Uninstall-TransportAgent doesn't work?

    Usually just deleting files of anything used by something else is a recipe for troubles - but does Uninstall-TransportAgent work to remove the malicious one?

    1. Anonymous Coward
      Anonymous Coward

      Re: Uninstall-TransportAgent doesn't work?

      5.1 Cleaning

      The cleaning of LightNeuron is not an easy task. Simply removing the two malicious files will break

      Microsoft Exchange, preventing everybody in the organization from sending and receiving emails.

      Note to other AV vendors: before adding a detection for the Transport Agent files, be aware that doing

      so without a proper cleaning routine will render your infected customer’s exchange servers inoperable,

      so proceed with caution.

      Before actually removing the files, the malicious Transport Agent should be disabled.

      First, open <ExchangeInstallFolder>\TransportRoles\Agents\agents.config and check every DLL.

      All of the genuine Transport Agents should be signed either by Microsoft a trusted software vendor. Theagents.config file should be similar to Figure 31.

      <?xml version="1.0" encoding="utf-8"?>

      <configuration>

      <mexRuntime>

      <monitoring>

      <agentExecution timeLimitInMilliseconds="90000" />

      </monitoring>

      <agentList>

      [...]

      <agent name="Security Interop Agent"

      baseType="Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent"

      classFactory="Microsoft.Exchange.Security.Interop.

      SecurityInteropAgentFactory"

      assemblyPath="c:\program files\microsoft\Exchange Server\v15\bin\

      Microsoft.Exchange.Security.Interop.dll"

      enabled="true"

      IsCritical="true" />

      <agent name="Content Filter Agent"

      baseType="Microsoft.Exchange.Data.Transport.Routing.RoutingAgent"

      classFactory="Microsoft.Exchange.Security.Interop.

      ContentFilterAgentFactory"

      assemblyPath="c:\program files\microsoft\Exchange Server\v15\bin\

      Microsoft.Exchange.Security.Interop.dll"

      enabled="true"

      IsCritical="true" />

      </agentList>

      <settings />

      </mexRuntime>

      </configuration>

      Figure 31 // agents.config example

      In that example, the malicious DLL is Microsoft.Exchange.Security.Interop.dll and two related

      Transport Agents are registered:

      • Security Interop Agent (called <name1> in the following explanations)

      • Content Filter Agent (called <name2> in the following explanations)

      Then, on the Exchange server, execute the following PowerShell commands with admin rights:

      Disable-TransportAgent -Identity <name1>

      Disable-TransportAgent -Identity <name2>

      Uninstall-TransportAgent -Identity <name1>

      Uninstall-TransportAgent -Identity <name2>

      The malicious Transport Agents are now disabled. After that, it is possible to remove the two malicious files without breaking Microsoft Exchange.

      If you do not plan to re-install the mail server, an important last step is to modify the passwords

      of all accounts that have administrative rights on the compromised server. Otherwise, attackers could access the server again to compromise it again.

      1. Hans 1
        Windows

        Re: Uninstall-TransportAgent doesn't work?

        If you do not plan to re-install the mail server, an important last step is to modify the passwords

        The Server was compromised, so néeds to be reset.

  2. Anonymous Coward
    Linux

    Recently uncovered malware infection

    A recently uncovered malware infection uses the basic functions of Microsoft's Exchange Server to remotely monitor and control computer systems.”

    How does this malware initially infect and gain control of the computer?

  3. herman Silver badge

    This is why servers should be virtual machines. It makes restoring from backup trivial.

    1. david 12 Silver badge

      Unless you have specifically modified your "server" to never update security tokens and timestamps, trivial restoration of a virtual machine from a backup copy will just break everything.

  4. Anonymous Coward
    Anonymous Coward

    running 2FA on all adms what a cute concept :P

    oh look a farting rainbow unicorn in the corner!

    Good luck getting that on said agreed by other adms. Fantastic idea, it genuinely is, likely?

    Nope, reasoning will go along the lines of, I know what i am doing, I have <insert pre21st century lotus cert>

    we all know or have at least one in our direct team right? the same one that insists UAC just gets in the way and doesn't "work quite right" mantra :D

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like