Security Manager's Journal: Some security incidents can make life interesting

Computerworld - No security manager wishes for a security incident. They can be costly, disruptive and a professional black mark. But getting to the bottom of a minor event -- one that causes no real harm or has a minimal effect but isn't run-of-the-mill and therefore requires a bit of investigating -- can make the job more challenging. You have to figure out just what happened so that you can prevent a recurrence, and you have to do it quickly so that damage is kept to a minimum. It's a time-sensitive task that requires quick thinking and expertise. We just had an incident of that sort, and it's an interesting story.

It all started with a call to our HR department from the company that provides our 401(k) services. As happens from time to time, a rogue server had been identified by law enforcement. In extracting evidence from the server, they discovered that it contained connection information for the 401(k) administration site and the IP address of my company's corporate firewall. (We translate all of our internal desktop IP addresses to that external address.) Within the logs was a reference to ANTIVIRXP08, which is a piece of malware that disguises itself as a virus detection tool. When a user is tricked into installing it, the malware will do nasty things, such as capture keystrokes and then "call home" with all the data entered or submitted by the victim.

We could see that two of our employees had fallen victim to the malware, so the first order of business was to disconnect them from the Internet. I instructed them to use clean systems and to change their passwords for every corporate and personal account they use. We also helped them set up fraud alerts on their credit reports.

Next up was determining whether we had really been affected. First, we took an image of the two systems, allowing us to conduct a forensic examination of the image while leaving the original system intact. We looked for registry entries, processes and anything else that might indicate that the systems had been infected. Fortunately, there was no evidence of system compromise. In fact, the two systems were up to date with patches and antivirus software. Next, we reviewed our firewall and proxy logs to see whether the traffic included anything that might suggest an infected desktop calling home. Again, nothing.

This was puzzling. How could connection information for a 401(k) administration site show up on a rogue server out on the Internet without leaving behind any relevant forensic information on our affected desktops? My first thought was that the financial institution's Web application was the victim of a cross-site scripting attack and that our users were tricked into executing malicious code on the 401(k) administrative Web site, which collected the connection information. However, the 401(k) administrator's security people assured me that their company had not been affected.

I then asked for the full access logs from the rogue server. Analysis of those logs revealed that the connection attempts had occurred in September. That explained the anomaly. Our logs go back only 30 days.

We use Trend Micro's OfficeScan for corporate desktop and server antivirus protection, and it keeps logs for all our machines. Sure enough, it had detected and cleaned the ANTIVIRXP08 code from both systems. That explains why the forensic analysis came up clean as well.

I still have some concerns and will continue to follow up to determine whether the malware was able to call home to the rogue server with the connection information. But for now, there's not much else to do except close the investigation, pending any further information.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.