We always return to work after a holiday with a little trepidation because over the years we have grown accustomed to expecting anguished calls for help as soon as we walk in the door from clients who have just discovered some major problem that jumped up to bite them when no one was looking. This Thanksgiving was no exception. Two network clients discovered a brand new malware variant that appeared to be erasing their network data right before their eyes. Calls like that get the blood flowing even before the morning coffee has a chance to kick in.
This new malware also appeared to propagate itself across networks and infect multiple drives and users which was something new and different from typical infections that tend to stay localized.
To make matters worse, the anti-virus/malware industry was way behind in developing a solution to neutralize and/or remove this culprit. It took 4 days before it was released to the public by any of the major A/V players.
The malware propagated itself across workstations and network drives through a tiny autorun module that would cross infect other devices and drives whenever a network user accessed a local or network drive. In this manner it spread rapidly across the networks.
What made the battle even worse was the wide spread use of flash drives and portables at one client so even when we shut down the entire network and cleaned every infected PC, some user would bring an infected device from home and the process of infection would start anew. Because there was no effective solution to keep the unit clean once the technicians finished re-infection was a constant battle.
Luckily for our clients, our Lead Engineer discovered the malware in this instance was not really erasing their data, it was hiding it using the ATTRIB command on files and folders which just gave the appearance of deletion. As a little extra bonus, the malware also created new replacement files with sex related names that further spooked one client which was a private elementary school. At the start, as fast as we'd clean one computer another user would log in and totally re-infect those drives and folders on the network that we had just cleaned.
I'm very fortunate to have a really talented tech team that was able to diagnose and clean the networks of both clients quickly and efficiently without much assistance from the Anti-virus industry for the first 4 days of the outbreak. Now the other companies are caught up and the malware won't be able to re-infect but it was really hairy for awhile there!
If you're wondering about the original source of the infections, Facebook was the source for one client and the flash drive of a staff member was the source for the other. How many computers did we have to inspect? About 120 PCs, 8 servers and 30 flash drives. The number of infected computers? About 85 PC's, 3 servers and 2 flash drives across both clients. How much time was involved? About 65 unanticipated work-hours.
Forgive us if we tend to cringe when people ask us how we plan to spend our holidays!
Happy Holidays Everyone! Oh, and leave that @#$% flash drive at home!
* BYOD stands for Bring Your Own Device and represents a growing trend of employees introducing personal devices into company networks and there is a growing concern about the vulnerability of company information assets to risks brought to work by employees on poorly protected devices like smart phones, tablets, notebooks and flash drives. This combined with unregulated access to at-risk social media sites like Facebook and others greatly increase the risk of loss to organizations like those discussed in this post.
No comments:
Post a Comment