Computerworld - Once again, I spent most of my week dealing with an outbreak of malicious code, and I'm now taking steps to avoid a similar problem in the future. This time, we were hit with the W32.Mytob.HH@mm worm. We had been hit with a similar worm a few weeks earlier; the main difference is that this version uses different ports to connect back to the Internet Relay Chat (IRC) channel.
Our intrusion-detection guru traced the infestation to a user connecting to the corporate network via the VPN from a local airport. I talked to the user, and he told me that he bypassed the recommended method of gaining remote access when he associated to a wireless access point at the airport. When he booted up his laptop, the access point showed up in his task bar, and he was automatically connected without any authentication.
The user said he did some work on the Internet before launching the VPN client, and that "work" included executing an .exe file from an e-mail he got stating that his account had been terminated. He had assumed the e-mail was from our human resources system; he had previously gotten a message directing him to change his password for the system, but he hadn't gotten around to doing that. When he clicked on the link called "account-details.exe," nothing seemed to happen.
Well, we now know exactly what happened. His laptop was infected, and when he connected to the corporate VPN, the worm propagated to our internal network.
We tell users that the proper method for remote access, especially when traveling, is to use iPassConnect Universal Client from Redwood City, Calif.-based iPass Inc. We have configured iPassConnect so that after a user authenticates, it checks the system to ensure that both a desktop firewall and our virus-checking client are installed and running.
We also have the iPass client time out if the user doesn't authenticate to our corporate VPN within two minutes.
In addition, our VPN client forces the user to input his username and RSA SecurID token for authentication. Chances are good that if the user had followed these procedures at the airport, the malicious code he executed would have been spotted.
To enhance the security of our VPN infrastructure, we are installing Sunnyvale, Calif.-based Fortinet Inc.'s FortiGate appliance. We're already using these devices to protect our development lab environment, or rather to protect the corporate environment from the lab environment. At the insistence of the lab managers, our development labs don't conform to our corporate policies
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
