Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2008-01-17 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Large scale recovery

Published: 2008-01-17
Last Updated: 2008-01-17 13:54:40 UTC
by Mark Hofman (Version: 1)
0 comment(s)

Scott emailed an interesting question the other day which I’m going to flick pass to you all. 

We all have workstations in our organisations.  They run AV products, encryption software, FW, management tools etc, a nice mix of products that we use to protect and manage workstations.  And they all play nice right?

Well what if they don’t?  For example, what if there is a nasty conflict between products, a patch messes one or more of the products up, a virus runs wild, or even something as simple as a group policy screws up.   But the fix, rather than a swift click on a button, means you have to go to each machine, boot it into safe mode, make a change, then reboot.  How do you recover your workstation environment? 

Now the answer is relatively simple if there are only a few machines involved, you might send junior on the road to fix all the machines, one by one.  It will keep him out of your hair for a bit.  But what if there are 100, 1000 or even 10,000+ machines to fix?  Even junior will need a white coat after a while. 

So here is a little scenario for you all to have a think about.   The company has 8000 workstations at several locations, some behind relatively slow lines.   A nasty little virus has slipped through and 4,000 machines have been infected.   Automated cleanups do not work and the only choice left is to manually inspect and clean the machine or reimage.  Luckily head office has nice clean images for all the hardware deployed.   

So what can we do?  Are local recovery partitions on workstations the go? Imaging servers, maybe one at each remote location? Bootable imaging DVDs, deployment products, packaging products?  Should we change the environment, use thin clients, PXE??

What do you do?  Send us your ideas on how you already cope or would cope with having to do a large scale recovery of workstations.   I’ll collate the responses and you never know your idea may save someone’s junior from wearing a white coat.

Mark

Keywords:
0 comment(s)

Shorts - other things happening this week.

Published: 2008-01-17
Last Updated: 2008-01-17 13:18:11 UTC
by Mark Hofman (Version: 1)
0 comment(s)

There have been a few interesting things over the last few days that are worth a mention.  We’ll start with malware.

We’ve had some reports of a new round of Dept of Justice messages (thanks Steve).  You know the one:“A complaint has been filled against the company you are affiliated to ....” .  This particular text variation was first reported in early December, but seems to have received a new lease of life and a nice new payload to go along with it.  It was detected by only 4/32 on virustotal (should be close to 32/32 by now).  The other thing was that it was well targeted.  The name was correct as was the company name.  So someone has a good quality list.  The attachment was called PDF_Complaint.scr, luckily most of us already drop this extension at the gateway.

Another oldie, but goodie (the original goes back to 2006) was provided by Johan, who received a SPIM.   The message was along the lines of:  “Hi, my name is <name>.  I am studying in <country>.  I’m looking for a friend/partner ...etc”.   The link to the photos of the young lady takes you to Russia and provides you with a little extra code.   A file called ntos.exe is created and the registry is then modified replacing winlogin.exe with the new file.   You are now providing information to those that will use it for you.

We also received a report on SMS phishing.  A SMS is sent “Dear <insert bank name> customer, we are informing you that your online services have expired and needs to be renewed.  Please visit us at ...URL...”.   At the URL in the message a “special” surprise awaits.

So keep an eye on those mobiles.  Keep blocking those files that should never be emailed and patch.  A Significant portion of the malware we see, all exploit relatively old exploits.   Why?  Because they still work.

Cheers

Mark

 

Keywords:
0 comment(s)
Diary Archives