Having a Virus is NO FUN

Especially the Flu...

Recently my wife and I both came down with a bit of the flu (luckily our 12-month-old son didn't). I spent one day trying to tough it out at work and while I was there I got a call about someone who had just heard about the Microsoft IE 0-day on Dec 9. I guess it had just hit Yahoo! and had made it to this gentleman (who may not have read post #2, otherwise he'd have heard about it on the 9th). Since I was sick, I was at least happy that this admin was not going to let any computer be in my shape on his watch. On that day I wanted nothing else than to eradicate all viruses.

What's in a name...

We ran into a problem, though. I knew the threat as "THE Microsoft/IE 0-day (for right now)" and he knew the threat by what Trend Micro had caught on another admin's network. We do not use Trend Micro, so I could not use that name while searching our signatures. I looked for all different forms of Microsoft/IE that I could think of, still no dice. The other major AV vendors have similarly customized names for the same threat that I couldn't easily find. The downside to Virus Total is that you have to find an example of the vulnerability as a file or hash. This can sometimes be risky. More on this in future posts :o)

The various vendors didn't even classify the threat as the same type, some had it as phishing, some as virus some as trojan, etc... This is why I keep calling it "the threat".

Enter CVE...
Common Vulnerabilities & Exposures.

The way that we were able to track the threat is by its CVE number. CVE is basically a standardized naming convention system that is in use to track various types of threats. Major vendors and mailing lists use the CVE so that you can quickly find exactly which threat you are searching for. Once a threat is established in CVE, various groups take that and run. You can use the CVE number to cross reference various databases, from AV vendors to Internet Security watchdogs.

the CVE number for the threat in question is CVE-2008-4844. This was even published in Microsoft's security bulletin.

Now we know the name, who does what with it?

A great resource for techs that are trying to compare different AV vendors or network admins that have various AV engines in deployment is Virus Total. Virus total simply spits out which of it's systems recognized the file as malicious. Of course, the one drawback to this is that you have to trust Virus Total to give you up-to-date analysis and valid results. I do for the purpose of double checking patterns, but I would never take this over deploying an actual security solution.

You can always consult the website of your vendor as well. Most vendors, if not all, post bulletins on various threats on their sites. This is more complete than the virus total results, but can be harder to track down.

Sometimes it's ok to have a honeypot-like machine for testing. Make sure that the machine is COMPLETELY segregated from the network. Try to infect it beyond your defenses. If it makes it, assess further and find a solution to the problem. Then try again until you routinely see it defeated 100%. This is a good security stance. Just make 100% certain that this test environment is in no way in danger of infecting your production network.
Posted on 6:05 PM by Tim Cronin and filed under , , | 0 Comments »