[unisog] Zero-day viruses

Alan Rothenbush alan at sfu.ca
Fri Sep 12 02:27:07 GMT 2008 

> -----Original Message-----
> 
> Is everyone getting them, or is it just us ?
> 
> The last few weeks, we have noticed an increase in email 
> viruses getting past our filters.


Yup, that mirrors our experience exactly.  The viruses always seemed to be
a day ahead of the signatures. 

I also saw the reboots upon opening, although not every time, it seemed.

We discovered two different "major" strains as well as the (daily) minor
varients.

One strain wrote a value to 
 
  HKCU\Software\Microsoft\Windows\CurrentVersion\Run

to start something from SYSTEM32.  In our locked down world, this failed.
But another copied the executable to the user's AppDAta directory and then
added a key to the location above.  This of course succeeded.  Cleaning
was easy, as a reboot killed whatever was running, followed by a logon by
an admin to delete the crap in AppData and clean the key out of the user's
hive.

However, while cleaning was easy, waiting a couple of days for McAfee to
find it seemed unacceptable.   So I wrote a little script to be called at
logon and logoff.  (All of my 1,000 or so machines are in Active Directory
and already executing logon/logoff scripts by Group Policy, so one more
was a no brainer)

The script examines the user's RUN key for something bad, and if found

. emails the support staff
. logs the user off (if at logon)
. disables the user's account (through a truly Rube Goldberg mechanism)


This scheme worked fine for the few days the "attack" persisted.

However, it also showed up a number of earlier attempts to do something
similar; write a reg key to the user hive to start something in SYSTEM32.

And it showed a whole lot of "portable" apps .. things that install
themselves in the user's space.  

As stated earlier, we run a pretty well locked down environment and have
other tools to prevent the running of the most common portable apps; I was
feeling pretty good about my ability to prevent these things until I
started examining the RUN keys discovered.

So the script has been extended.  It begins with the virus check, above.
It then continues on in an ugly brute force manner reminiscent of Sherlock
Holmes; it writes the REG keys to a file, then removes "acceptable" keys
line by line.  If anything is found remaining, I consider the user to have
installed an unwanted program.

This results in a message with a STERN warning and instructions to REMOVE
the program.  An email is also sent to me and if I see such an email a day
later, I appear at their office door in a BAD MOOD.

(OK, so I'm always in a bad mood .. let's say an even worse mood than
normal)


Alan

--
Alan Rothenbush
IT Services
Simon Fraser University

More information about the unisog mailing list