Security disaster averted by financial firm’s quick actions
While most of the IT world has been spared a devastating security attack like Blaster and Sasser for the last few years, the damage wrought by all manner lesser-known computer viruses continues to inflict corporate pain.
For example, New York City-based investment firm Maxim Group, faced a security ordeal this year when a virus outbreak pummeled the company’s Windows-based desktop computers and servers.
“On early April 15th, a few people called to say they were having problems with their computers,” relates John Michaels, CTO
there in describing how the investment firm’s IT staff started to get an inkling that morning that something was terribly
wrong. “After looking into it, we knew something bad was happening, affecting all our users, and my servers.”
Malware was disabling applications by corrupting .exe files so they
wouldn’t open once they were closed, while also making thousands of
connections to servers, saturating the network. “It damaged all the
.exe files by corrupting them,” says Michaels. “People were logging on
and getting a blank screen.” The virus was altering the registry of the
In response, Maxim Group told the approximately 325 computer users not to shut down the computers while Michaels and his team
contacted vendors for assistance. Maxim Group didn’t have a centralized antivirus product in place, having allowed various
groups to go their own way with differing products. The decision to change that practice was made on the spot.
Antimalware vendor Symantec was called in to set up a centralized antivirus server, while also attempting to analyze what
the malware was and advise on clean-up. It wasn’t easy.
“Symantec took about three days to identify what the variant of the virus was,” Michaels says. “They said they had never seen
a variant of this.”
The virus was finally identified as a variant on “Sality,” an older virus that strikes at .exe and now also will install a backdoor and Trojan. “We asked Symantec, are we the only
ones telling you about this? And they said ‘We have 3 million infected.'”
Cleaning up more than 300 virus-riddled PCs was a huge headache. Symantec advised total re-imaging of the computers, which
Maxim Group undertook, a process that consumed several weeks.
In the course of beating back Sality, Michaels says he also
contacted another vendor, Cymtec Systems, whose product he had demoed,
to install the security vendor’s Sentry gateway, which monitors traffic
and bandwidth usage, enforcing Web site policies and blocking
The reason for the Sentry gateway is to prevent employees from going to “Web sites they probably shouldn’t,” especially as
Web surfing raises the risks of malware infection, Michaels says.
But the virus outbreak also showed there was communication from the
infected PCs to what might be a botnet. “They were connecting to rogue
Internet sites,” Michaels says, saying Sentry would help monitor for
that kind of activity in the future.
To this day, Michaels says he’s not sure how the Sality variant got into Maxim Group’s network to explode in that April 15
outbreak. “Maybe it was a Web site or a USB device, I don’t know,” Michaels says. But on that day things changed in terms
of the investment firm deciding to enforce stricter Internet usage policies.
“Before this episode, we allowed social network sites, but we don’t now,” Michaels says. Social networking sites are gaining
a reputation as places where malware gets distributed, and if there’s no clear business reason for using them, they’re put off limits.
And are the old Blaster and Sasser worms that struck with such devastation over half a decade ago gone?
Unfortunately not, says the “Top Cyber Security Risks” report released this week by SANS Institute in collaboration with TippingPoint and Qualys. The report — which examined six
months of data related to 6,000 organizations using intrusion-prevention gear and 100 million vulnerability-assessment scans
on 9 million computers to get a picture of various attack types — notes “Sasser and Blaster, the infamous worms of 2003 and
2004, continue to infect many networks.”
All contents copyright 1995-2009 Network World, Inc. http://www.networkworld.com