Computerworld - Every morning at 8:30, our IT department has an operational status meeting. All the managers have a chance to review changes to the infrastructure and can raise their own concerns. For example, the data center operations manager discusses any major change controls scheduled for the day and reviews the Priority 0 and 1 issues from the past 24 hours.
We also track help desk calls and virus tickets. Normally, about five to 10 virus tickets are open on any given day. That's not bad, considering that we have over 6,000 employees worldwide. Yesterday, though, the operations meeting was cut short by an explosion of virus-related help desk tickets. Within 30 minutes, the help desk received 40 virus-related calls, and the number was increasing rapidly. It seemed that a zero-day virus had made its way into the network.
It isn't difficult to become infected with one. Employees who use Web-based mail, such as Yahoo or Gmail, can inadvertently download malicious code to their workstations because that mail isn't scanned the way employees' Exchange mail is. Infections can also take root after employees connect their laptops to a broadband connection at home and then come back to the network with viruses in tow.
As security manager, it was important that I take charge and direct, monitor and manage this outbreak. First, we had to get the infected machines off the network. One of the symptoms in this case was that the workstation would send mail with an infected attachment to a list of e-mail addresses from its contact list. This meant I could have the help desk review e-mail headers and spot infected workstations. When one was found, someone from the help desk would call the user and have him disconnect the workstation from the network.
When the user wasn't available, the help desk passed the MAC address of the system to the network operations group, which would disable the switch port. Finding the MAC address is fairly easy in our environment. The machine name of nearly all our desktops is the first letter of the employee's first name, followed by the first six characters of his last name. So, starting with an e-mail address of mthurman, for example, the help desk simply issues the nbtstat "a mthurma" to determine the MAC address of the corresponding system. Then the network team can trace the MAC address to the appropriate switch port and disable the port.
Meanwhile, we isolated a sample of the virus and sent it to our antivirus provider, Trend Micro Inc., for analysis. After three hours, Trend Micro sent us a pattern file for detecting the virus, and much later it gave us a working TSC file, which actually cleans infected systems. This is the first occasion we've had to test the vendor's responsiveness in a zero-day attack scenario, but if this is typical of the time it will take, I'll be looking for another antivirus vendor.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
