Security Manager's Journal: Latest malware is a call to action

Computerworld - I got a call from an information security colleague who had forensic evidence from a command-and-control server identified as part of the so-called Operation Aurora incident that included a hack of Google in China. The evidence showed connections from my company's DNS servers to questionable domains. As you can imagine, I was alarmed.

Alarmed, but not panicked. At the end of the day, this was just another piece of malware, and we have the experience to deal with that. And I hadn't seen any unusual activity flagged by our antivirus software and intrusion-detection system, or any other indicators that we might be infected with a zero-day exploit -- no network bandwidth anomalies, no sudden increases in help desk calls related to system weirdness and no mentions on the various threat blogs that ours was a victimized domain.

Still, this piece of malware was reported to be more sophisticated than most in the way it operates and communicates.

With any malware, I want to determine whether my company was infected, whether the infection compromised intellectual property or other sensitive information, and whether our products' integrity was affected. Of course, I also want to remove the infestation and get back to a steady state without any business disruption.

First, I checked our DNS servers. I have high confidence in their integrity, because they are hardened and because we use Tripwire to detect changes. After a thorough review conducted using various tools and Unix compromise checklists that can be found on the Internet, we determined that the DNS servers seemed unhacked.

The next task was to find the systems that were querying the suspicious site, perform the forensic analysis and start cleaning up the mess.

After we enabled logging on our DNS servers, we could see the suspect queries. But they all originated from our Active Directory servers. That's because all of our Windows servers point to AD for name resolution first, and then the request is passed to the Unix DNS infrastructure. That meant we needed to log DNS queries at our AD server. It was a challenge, due to the sheer amount of log data, but we were able to identify some beaconing hosts.

Digging Deeper

At the same time, we contacted Juniper, our IDS vendor, and it provided a signature file for our IDS sensors. It detected attempts to exploit the Internet Explorer vulnerability that had enabled this whole mess. Almost immediately, we began to see alerts from every sensor, in the U.S., Germany, Taiwan, Hong Kong and Singapore -- connections from PCs and servers, mainly to development SAP systems. Only a few were outbound connections on Port 80, which thankfully were blocked by our content-filtering engines.

We then contacted our antivirus vendor, Trend Micro, which released pattern files for our OfficeScan servers that we are now pushing to the more than 8,000 Windows resources on our network. But I still wasn't satisfied, since none of this told me the impact on our intellectual property. We took an EnCase image of a couple of affected machines prior to the installation of any patches or antivirus updates, which let us use the freely available Wireshark packet sniffer to analyze the network traffic generated by the malware. I also wanted to see if the malware installed keystroke monitoring software or other data-collection programs.

The forensic analysis continues, and we plan on pushing a new Microsoft patch within the next couple of days to prevent future incarnations of this malware from impacting our environment.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Read more about Security in Computerworld's Security Topic Center.