Wednesday, July 25, 2007

A Monday Incident

It has to happen on a Monday.

And what a Monday it was.

I woke up and it was pouring out. And I mean pouring. It was raining so hard visibility had dropped to a hundred yards, at best. Driving to work, I passed three separate accidents; cars that had spun off the roads. At least they were getting assistance. This was definitely a day to stay home. The road that the plant is on was flooded, with a couple of inches of water. How fitting.

I get in a good half hour before the network administrator gets in which gives me plenty of time to put out the minor brush fires. It was about 20 minutes after he got in that he called me to his office and showed me an email he had received from our ISP. They (the ISP) were getting ready to dump our internet access (a T1) because of complaints due to alleged abuse coming from our public IP. We had about a day to figure it out.

Off to the firewall we went to see what was up. There did not appear to be anything fishy, at least from the firewall. Remember, the network admin is great at "admining" but security is an afterthought for him. I can only "suggest" policy and procedures. At about this time, the director of HR walks into the office. She proclaims that her laptop has crawled to a stop and she is unable to get any work done. We allay her fears and get back to work. I ask the network admin to check the logs for her IP. Lo and behold, we've found our problem. Connections. To and from her laptop. Hundreds of them. Thousands of them. Mail from her machine bypassing the DMZ and the mail server. P2P connections. And a whole bunch of things I didn't have time to ID. Whoa.

A little research turned up that the malicious code was a variant of the Storm Worm; I think Trend finally ID'd it as nuwar.IJ. I explain calmly to the HR director that we think we found the reason for her laptop being slow and I would need to take her laptop off the network, and remove it to the data center in order to check it out. So, we grab the laptop. The worm went undetected because it killed the AV programs first. Yea for Helix.....Rootkitrevealer proved what we thought. And we used Trend's RootkitBuster to clean the machine. Now, thinking of security, I suggested wiping and reloading. However, the network admin figured we had cleaned the machine sufficiently and we would give the machine back after a full virus scan.

When I gave the machine back I asked if there was anything she might have done to have contracted a virus or worm. She thought it might have occurred when she went to update a printer driver (why she had to update a printer driver is still a mystery.) After more pressing, she finally admitted to opening an email with a subject of "you have received a bluemountain greeting from a co-worker." She said she clicked the link too.

I'm still trying to tighten the firewall logs....p2p connections should not be coming in or going out of here. Period. That should have been our first red flag. I'm sure there's more to do; but I think the network admin is just glad our network access is not getting yanked.

No comments:

Post a Comment