0

We had worm infestation problem in our network. I have cleaned all the worms and have taken appropiate steps.

I wanted to how do you determine how the worm got spread in the network.

Thanks,

Gary..

thanks a lot guys for all the interesting articles..... my basic question is how you determine how a worm spreads if you cannot obtain a sample of the worm?? I have cleaned the worm from my systems and have no sample of the worm...

by looking at the security policy and the logs can we know how the worm got spread in the network. ??

thanks again,

Gary

user45019
  • 21
  • 3
  • 2
    It really depends what you were infected with as to it's most likely vector to get onto your network was. Which worm was it? What platform(s) are you using/were affected? When you say you took appropriate steps, what were they? If the steps really were appropriate you should already have an idea of the cause to mitigate against it spreading further/again. – Mike1980 Jun 05 '10 at 18:45
  • 1
    +1 MikeR. I'd go further - If you don't know what the worm was then you *haven't* taken appropriate steps. If you know what it was then that should tell you/us how it spread. – Rob Moir Jun 05 '10 at 19:21
  • In fairness, knowing which worm doesn't always reveal how it got it. However, the complete lack of information in this question makes it extremely hard to give anything other than a generic answer. – John Gardeniers Jun 05 '10 at 21:13

3 Answers3

1

Your request is very light on on Details, specifically which worm where you struck with, what was you security policy prior to the outbreak, and what is "taken appropiate steps"?

First, I would review my own security policy for holes or problems. If I didn't have a security policy, I would give up on figuring out how I was struck and assume it was my own fault for not having a solid security policy (I even have a security policy for my home machine, it is not written, but I follow it carefully and I have not in 5+ years been unintentionally struck by a virus).

Second, I would look for places where the security policy was not followed. I would use logs/event viewers on Servers, PCs and Routers until had a good idea what happened, in a multi user environment I would try to ask a few questions of the users who first noticed the outbreak, and clearly communicate that they are not in trouble (assuming I am allowed to make that call) and that their help is important. I would probably take several steps based on the information gathered here.

Third, I would update the security policy or my enforcement of it so that this would never happen again. This may mean installing updates in a more timely fashion, adding Antivirus to servers or PCs, tightening firewall rules, or maybe even educating users on why downloading smiley packs is a very bad idea. At this point I would also determine whether calling the authorities is an appropriate step. Many times I have contacted no one, twice it was escalated to the authorities.

Finally, I would perform an ongoing review of the security policy and check that the enforcement of it is a working. I would do this using a variety of non-intrusive methods, and anytime something was instrusive I would clear it with those involved, and I will always be aware of the cost vs the benefit (no use overdoing security and getting in the way of those trying to do the work).

I know it is vague, but this is how I have done it. I have successfully identified a few threats this way and I have protected the teams I have worked with from many more. I have missed many more, but I used them all as an opportunity to make the system and workflow better. I also know that with a good security policy one could make it theoretically impossible to hack/infect, even when using numerous windows PCs or other perceived insecure platforms. The reality is quite different because things never work exactly as planned. The idea is to have the gray area, where theory and reality meet up, be secure enough to prevent all the big problems and be usable enough to let people and the system work (or play or accomplish whatever goal).

Sqeaky
  • 201
  • 2
  • 7
0

If you know the type of worm it was (via your preferred disinfecting tool), you will be able to find/google information/documentation on how that type of worm/virus spreads. From there, you should take into consideration a standardized method of protection for your clients and servers, if you don't already have one.

I hope you're not thinking in trying to trace how the worm actually spread through your network clients. This task would be time consuming, overwhelmingly difficult, if not impossible.

l0c0b0x
  • 11,867
  • 7
  • 47
  • 76
  • yes.. i was thinking the same.. i want to determine how the worm actually got spread through the network ... – user45019 Jun 08 '10 at 20:26
0

I fear that this isn't going to be as easy as you would like. If nothing else, your network is now different to the way it was when you got infected, so any investigation you do is not so likely to turn up valid results. Secondly, a lot of malicious software can be remarkably good at covering it's tracks (a lot can be remarkably bad too...) so you're dependent on the relevant information having being logged in the first place.

So your approach is to identify what the worm was, read up on how it spreads, and make the reasonable assumption that that's how it spread in your network. I would guess however that you're more interested in how it got in, so that you can be certain that the door is closed in the future. This will most likely be one of the old favourites: users running with admin rights, uncontrolled USB device access, unsecured web access, use of older software, out of date AV, failure to keep up to date with security patches, bad firewall or gateway config, and so on. One of these will probably ring a bell with you, and info from an AV vendor's website will confirm it.

Maximus Minimus
  • 8,987
  • 2
  • 23
  • 36
  • yes mh... i do not have a sample of the worm..i am more interested in how the worm got in and how it spread through the network. .. – user45019 Jun 08 '10 at 20:28