Real Virus attack on corporate network

I’ve been working  for many years in a anti-virus company. Of course my view on computer viruses and incidents  is biased, but this angle could be interesting anyway. 

Currently the anti-virus coverage within corporate networks is close to 100%. Within home users it’s estimated from 70% to 90%.  How exactly does infeactions happen in real life and how could they be disinfected.

Start of the infection

Modern viruses are like vampires. If you don’t invite them in your house, they can not pass the door. If, however, the undead manages to trick you and get in, then you’re in real trouble. 

In 99% of the situations the infection is coming via Internet.  Look at Virus Top list for December 2008  Almost always user has  to let the virus in yourself:

  • user opens an email with a virus
  • user opens a web-page with a virus

In Windows XP and Vista there are some security measures, which are trying to warn you. And it does help. Actually I believe, Microsoft has greatly decrease the possibility for external infection. But it’s sill not enough.

Even if a user has an anti-virus, it must be working. First of all, it must be ON. A lot of users turn it off because it eats the system resources. Second, anti-virus must be updated, basically every day. You have to let it to get the latest updates via Internet.  These two problems are the reasons, why home users get infected even with the anti-virus installed. I beleive if you get those two things right, you can be protected with any of the top 5 Anti-Viruses: Symantec, Mcaffee, TrendMicro, Kaspersky, Sophos.

In the corporate environment normally you have professionals, who can manage the installations of the anti-virus software. That’s why normally within corporate networks you have much less infection rate, than at home. I say normally, because it happens anyway. I’ve seen only 3 major security incidents within large corporate networks and in 2 cases the reason was that anti-virus software was not properly  installed. These are the most common reasons for IT-managers not to  install Anti-virus:

  • we run those servers on VMWare, they don’t have enough resources for real-time anti-virus protection
  • we don’t have anti-virus in our standard image for a workplace
  • we just don’t have a standard disk image for a workplace
  • we never had anti-virus problems before, so we for us performance is more important
  • we hired a new guy, how didn’t have time yet to catch on with your anti-virus stuff.

You don’t have an Anti-Virus and you get a virus. This is as simple as that! As you can see, the most underlying reasons are not security related, but rather general IT-management related.

Infection is spreading

Once in, a vampire can use a formidable array of superpowers – inhuman strength, speed, invisibility, mist, hypnosis, etc, etc.  In corporate networks normally there is not much protection inside the perimeter. Once run on a PC with domain admin rights, a virus can copy itself to any other computer, put itself in the autoexec-batch file from Windows Domain Logon, attach itself to a lot of Microsoft Office files. Almost always if some of the computers do have the anti-virus protection, they can resist. Viruses are deleted at the moment they’re entering the protected computer. But in a network with thousands of computers even a small fracture of unprotected PCs can easily jam connections or servers. All computers must be protected.

Fortunately, vampires are not just savage killers, they’re sophisticated creatures (at least according to Bram Stocker). They don’t just kill, they suck your blood slowly and trying to convert you. The same is true about modern computer viruses. They don’t destroy your files or wipe your hard drive. They’re slowly and carefully trying to use your resources for some commercial purpose. Making your computer a zombie, sending spam, starting DDOS-attacks, stealing passwords. That’s why there is still a possibility to clean the computer and eliminate the infection.

Cleaning the infection

Just let professor Van Helsing to do his job and he’ll succeed. Currently modern anti-virus programs are very powerful tools. They’re self-protected, they’re smart and they can do their job good. In most situations it’s enough to install the Anti-virus, get the latest updates and perform the scan of the whole hard drive. 

Here lies the biggest issue for the corporate networks. Anti-virus vendors provide their own solutions for the remote protection. Microsoft Windows contain useful technology like RPC. Other vendors also have solutions like Novell Zenworks.  However you need to know where to install!

The problem is that all those systems are quite democratic: “if computer comes and asks for service, the system provides is”. An opposite approach would be totalitarian: “the system must know everything about all computers and enforce the service”. In case of cleaning the infection from the corporate network you need to be a dictator and install the anti-virus on all computers. These are the major obstacles you find on your way:

  • not all computers in the company are online during the day
  • nobody knows how many computers are really there, not stolen, broken or thrown away
  • nobody cleans the list of registered computers in Active Directory, there are always a lot of very old ones
  • often central IT department sends a bunch of PCs to a local IT-team and they connect them when they need
  • often the names of thousands of computers have flat structure, like PC2022345,  you don’t know where they’re located

You don’t have to be despot in normal life. If you’re talking about the business needs of your company, a democratic approach works just fine. But if you’re at war, you need to change it.

I found the approach which works the best to clean this mess:

  1.  Start with list of registered PCs from Active Directory, put them in one group called “Not Clean
  2. Try to ask the customer to remove obviously old names. It’s not always possible, because there are hundreds of them
  3. In most cases you can remove names, which don’t have IP-address in the Windows DNS anymore. This means they haven’t been online for a long time
  4. Put all those computers in the list in your Anti-virus control Center and try to install the protection on all of them
  5. When the initial installation finishes, move the computers with successfully installed anti-virus to another group, called “Clean
  6. Repeat steps 4 and 5 next day. And the day after next. And further. Your goal to move everything from “Not Clean” to “Clean“.
  7. If there are some computers still left, try to find their location and clean them manually

In this situation the biggest problems are again, not security related, but IT-related. In order to perform the cleaning you don’t have to be an anti-virus expert, you just need to have good understanding of Windows infrastructure and networking.

Conclusion

The solution against viruses is just simply installation of Anti-virus. When you get infection, in most cases it means you didn’t have protection. If you need to clean the infection – install Anti-Virus. It sounds a bit boring, doesn’t it?

You can leave a response, or trackback from your own site.

Sorry, no posts matched your criteria.