Computerworld - Sometimes in a large organization that has offices all over the world and only a small IT security staff, it takes a significant event to reveal security failures in remote offices. This is exactly what happened this week. Until now, it has been fairly peaceful around the office. Other than the regular projects and ongoing issues, there haven't been any fires to put out. But this week, a new wormlike virus took us by surprise.
Normally the IT desktop department handles viruses, but this one involved so many people and so many man-hours that my group ended up getting involved. The worm, Bat.Mumu.A.Worm, or Mumu for short, hasn't taken the spotlight in the same manner as worms such as Melissa or Code Red, but our IT staff had to spend hundreds of man-hours dealing with it. We were taken by surprise because we were focusing on taking preventive measures to avoid being hit with three other viruses: SoBig, Bugbear and Lovgate.
We decided that these viruses had caused enough problems for other organizations that we wanted to be proactive. We spent so much time doing discovery work on what signatures to watch, and looking for updated virus definition files and getting them out to the workforce that we never saw Mumu coming until it had spread.
The three viruses we were originally watching for are similar in that they propagate by using e-mail distribution lists or a Trojan horse-like technique in which the worm attacks servers by scanning for vulnerable workstations. They differ in the messages and names of services, programs and registry keys they create or modify, but all increase network traffic, fill up e-mail in-boxes and prevent legitimate mail from being delivered.
By contrast, Mumu attaches itself and copies its payload to drive shares on remote computers, which in our case have weak administrative passwords. The worm contains a set of batch files, some utility programs and a Trojan horse program that spreads to other computers. It copies a set of files to the vulnerable systems and remotely executes a script or batch file on that system, which sends the Trojan horse to yet more systems. Mumu scans for IP addresses similar to the IP address of the victim system, attempts to access a share via a default password and, if successful, copies over the various files and runs itself again.
Once we knew that some machines were infected, we accessed our Snort intrusion-detection system sensors on the infected network segments and began monitoring traffic.
By monitoring network
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
