A New Weapon of Mass Destruction:
A Malware Infection
1. INTRODUCTION
A disaster can happen at any time that threatens the continuity of business activities and does not have to be from a physical disaster, such as an earthquake or hurricane. Increasingly, the availability and reliability of networks and infrastructure has been compromised by malware: viruses, worms, and Trojans designed to impact network and employee productivity. Malware represents the deliberate and malicious release of software that is designed to impact the productivity and profitability of individuals and corporations. ICSA Labs reports that from every 1,000 computers, the infection rate will be 105. A disaster caused by malware is defined as the simultaneous attack on 25 or more computers or an attack causing major damage. The impact of downtime (defined as a significant loss of availability and reliability of networks, hardware or software) equates to lost revenue and increased expenses for the affected business. As many sales, manufacturing, administrative, and production functions are automated and depend on networks for access, the unrecoverable loss of data can close a business, permanently. Contingency Planning Research (2000) estimates the cost per one hour of downtime for various industries in Figure1 (http://www.ontrack.co.uk/datarecovery/cost.asp). It is estimated that only 6 per cent of the companies suffering from a catastrophic data loss survive the business disruption. The loss worldwide to malware is not trivial: the legendary Love Bug cost $9.63 billion, the leading virus in 2002, Klez with $9.9 billion, Code Red cost $2.89 billion, and the most recent SQL Slammer is estimated to cost $1 billion (MI2g). In 2012, it is estimated that $110 billion was lost due to cybercrime.
The Cost of Downtime
Type of Industry Cost per Hour
Retail Brokerage $6.45 million
Credit card sales authorization $2.6 million
Infomercial or 800-number promotions $199,500
Catalog Sales centers $90,000
Airline reservations $85,000
ATM service $14,000
Figure 1
Less obvious in terms of loss is the productivity of employees that depend on computers for operations, customer support, plus loss of opportunities in missed sales and customer satisfaction. A business continuity plan can prepare for the unexpected interruption of computer operations. Ideally, this plan should include the eventuality of a malware infection that disrupts operations for a significant period of time. ICSA labs surveyed firms with more than 500 computers and found that the time to recover from each malware disaster in 2002 was 23 days. Seventy-five per cent of those surveyed had a significant virus outbreak and 62% had critical files corrupted by malicious programs. A plan should outline the activities of the IT organization, and the recovery and work-arounds for all impacted business units in order to quickly resume operations. With the cost of malware clean-up estimated by ICSA to be $81,000, the need for a plan to minimize losses is a critical component of over-all business strategy.
The first line of defense against malware disasters has been anti-virus software that can detect viruses, worms, and Trojans in email attachments, files, and web sites. Despite the presence of anti-virus software, companies continue to experience infections, in fact most of the last major infections occurred despite adequate anti-virus protection.
The authors of malware have been prolific in exploiting the vulnerabilities in desktop and server operating systems creating malware that bypasses anti-virus products. A virus writer summarized the issue of vulnerabilities, ” Some of these vulnerabilities have been known for years and the biggest of them has been known for centuries; Human Stupidity” (Delio). Malware has become more sophisticated, with the creation of blended threats: a threat that spreads like a worm as well as an email virus making it harder to control and to get rid of. Virus writers use social engineering techniques to deliver their malware and ensure that the damaging payloads are delivered. Companies often do not include in their continuity plans a provision for adequate training of employees in understanding the social engineering that is used as a component by virus writers of their plan to deliver the infected payload to their company.
The following case describes a hypothetical incident. In reading this case keep in mind that this company believed that they were adequately prepared against malware disaster because they had installed an anti-virus product on the desktops and servers. Thousands of computers were infected with malware not recognized by the latest antivirus software.
2. CASE OVERVIEW
ACME Industries, is a multi-national catalog sale corporation with offices in 30 states, 3 countries, and have 2,600 employees. The CEO is Andrew James, a man committed to technology and known throughout the company as a technology buff. The company has a frame relay WAN (wide area network) connecting all offices, and each office has its own Windows 2003 server. The home office is located in California, where the IT department staff reside. While most offices are small, with fewer than 50 employees, the home office has the bulk of the operations and sales staff numbering 600 employees. The IT department is led by Ms. Pamela Lau, the CIO. She has an IT manager, Jim Smythe, who directs the IT operations. The infrastructure consists of HP servers, a high-speed fiber backbone, switching technology, desktops running Windows XP sp2, and JRE 1.4, servers running Windows Server 2003 with an anti-virus product (on all servers and desktops) as well as firewall technology. Jim Smythe is challenged to manage a network and desktops that are spread throughout the US and relies on out-sourcing technical support in regional areas to service the computing needs of many staff. Additionally, he sends (quarterly) a team of his desktop and network support staff to the larger U.S. and international offices to perform maintenance. Ms. Janis Moto is the help desk manager and is the point of contact for employees that need support or service for their desktop. The company has a DR plan that was written in 2005 but not updated since. It does not cover malware as a potential disaster.
3. First Infection: Monday, Feb. 3
In the afternoon, some employees at the home office returned from lunch and found yellow tickets under the windshield wiper of their cars notifying them that they had improperly parked in the parking lot used by ACME Industries employees. The ticket said:
PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to www.parking _regs_for_u.com.
Employees that received the parking ticket went to the web site indicated on the ticket, and saw the following picture of cars in their town parked in the lot that they used.
Employees followed the directions on the web site to click on the picture, an action that caused a message to appear that directed the user to download a plug-in that was required to see a video on parking violations. The employees followed the directions and viewed a 2 minute video on how to park a car. After viewing the video, employees experienced their computer performing an unexpected shut-down while they were working. Attempts at rebooting sent them into an endless reboot loop. A desktop support technician, visiting the office on other business, looked at a couple of the misbehaving computers and identified symptoms typical of malware. To stop it from spreading, she told the infected users to log off the network and wait for the help desk to contact them about fixing their machines. The support technician let the help desk know about the problem and figured that the help desk would tell employees to update their virus definition files.
3.1 The Trojan Spreads : Tuesday, Feb. 4
Early in the morning of the next day, the malware had spread from dozens of computers to any computer attached to the network infecting hundreds of desktops and laptops. The help desk began receiving calls at 7 am from frantic users with computers that would not boot. After the first 100 tickets were recorded the help desk manager , Ms. Moto, was contacted. She was unsure what to do so called Mr. Smythe (the network manager) to see if he knew what should be done. By 9 am there were 900 help desk tickets for this incident. Help desk staff were telling the increasingly angry users to just leave their machines off. Jim Smythe was paged by his lead network engineer who reported that the servers were exhibiting the same behavior. The email, file, web, and applications servers were all shut-down.
By 10 a.m., the CIO had been called and decided to form a team to deal with the trojan infection. Two hours later, the team had decided on a leader and authorized a consultant to be hired to help them with the problem. Voice mail was sent to all employees that there was no email for U.S. employees, no remote access for mobile users, no connection to offices in other countries, and no communication with stores, which could still process sales and process credit card transactions but could not look up customer data or inventory at other locations. Customers attempting to reach the company web site only received a “Cannot open specified file” message. The team discussed re-imaging all the computers in the company as a solution but the CIO was afraid that the data on the user’s laptops would be destroyed and the users could not back-up their critical data when they couldn’t use their computers. The servers could be backed up following the DR plan but the vector for the malware infection was unknown and everyone feared a re-infection.
By noon, the team knew how damaging the malware was, and the CEO authorized everyone at headquarters to go home. The only exceptions were 50 employees on a secondary network that hadn’t been infected running critical programs on the AS400 mainframe, which controlled shipping and inventory. The AV vendor was contacted and requested a sample of the malware code.
The consultant arrived at 2 pm and found some of the malware’s Visual Basic code with the header, “A clever virus by Dark Sam written in the year 2011.” The IT desktop staff examined one of the infected computers and found code in the Registry identifying the malware as BadBoy. They emailed the code to the anti-virus vendor’s research lab using a personal laptop of one of the IT staff. The vendor’s research team discovered that BadBoy was a network-aware worm that spreads through a dropper that infects both the Registry of the computer and network shares by hiding in Windows files. When a user executes the infected file, the malware adds itself to the startup folders and places the plug-in.exe file in the start-up path. It attempts to copy itself to the network shares and spreads the infection.
Team members were desperate to hear from the anti-virus vendor’s help desk. The IT manager called the help desk and demanded to speak with a manager, who said the company needed to wait 24 hours for a response. The IT manager became angry and vowed never to use their product again.
The CIO called the local police who referred her to the FBI. At first, the person who answered the phone at the FBI wasn’t sure if the case fell under the bureau’s domain, and asked the CIO to substantiate the dollar loss and amount of damage. The CIO knew there was lost business, and possibly more than $5,000 damage. Stores were affected in more than one state. The FBI started building a case, in hopes of bringing the perpetrator to trial with enough damage to make a prosecution worthwhile. They asked for samples of code to begin looking for clues as to the identity of the malware writer.
3.2 Late Afternoon : Wednesday, February, 5th
Wednesday afternoon, the AV developers sent a first attempt to find BadBoy on the disk drive and clean any infected files. The “fix” found the malware but destroyed some critical operating system files and the computers wouldn’t boot. Disheartened, the IT team and consultant came up with step two of what would be called the “temp fix”: a way to clean the hard disk of the plug_in.exe. Technicians used a text search utility that works in DOS, to search for a text string that identified BadBoy. When they found the malware, they spent from five to 10 minutes manually removing the malware code from all file locations. The team of technicians visited each desktop, marking each one with a green sticker to indicate that the machine was “fixed”, and also began locating and cleaning infected files on the file servers at the home office.
Users at ACME Industries had now been without access to a computer for three days and were getting frustrated. The help desk was unable to broadcast when the malware infection would end and connectivity would be restored. The sales manager seeing his quarterly bonus disappearing with the failure to close a couple of big sales locked himself in his office to use his personal laptop despite the warnings by the team not to use any computers on the infected network. He subsequently infected his laptop and a server that had been “cleaned” of the malware..
The AV vendor’s attempts to detect, clean and fix what the malware had done were getting better. By Friday afternoon, they sent a fix that both identified and removed the malware. The IT team skipped the rest of the homegrown manual clean and began focusing on the remainder of the computers and servers. Desktop support technicians spent the rest of Friday, all day Saturday and half of Sunday returning to all 600 PCs in the home office. This time, they taped signs to all “cleaned” computers warning users not to power up until they got the OK. No plan was yet in place to deal with the other offices at distant locations. They decided to meet later that day to plan the how to repair the remaining hardware.
4. THE NEXT WEEK: RECOVERY
Monday morning at 10 a.m., the intercom in the home office finally announced the good news: employees could use their computers again. Stores could now communicate. European and U.S. locations could now communicate. (European locations, which were warned about the malware by fax, only had a few infections.)
For IT, however, the war wasn’t over. A dozen computers in the home office were so corrupted that the technicians needed to completely reinstall the operating systems and applications. There were details to take care of with the servers, remote office locations (with 1,500 infected desktops), and 500 mobile users who needed to overnight their laptops to headquarters for fixing. The loss of some critical data files impacted the sales staff and efforts would begin to attempt recovery from back-up devices.
5. THE CONSEQUENCES
The CIO and CEO had no idea how to value the lost productivity for over 2,000 employees or to calculate the loss in sales when communication with customers and suppliers was cut off for a week. The FBI pursued the lead provided by the IT department and contacted DaRkSaM. He took full credit for “BadBoy” but defended himself, saying he only writes and publishes viruses on the Internet and couldn’t prevent others from downloading and releasing them into the wild. He wrote in an email to the investigating FBI agent from the safety of his home in Romania that, “Better that you find out about how stupid your users are through my virus than through some unethical hacker smashing into your machines and stealing all your so-called private data.” For DaRkSaM, it was an issue of free speech and performing a community service. In his view it was not negligence but a charitable donation of time to provide assistance to businesses.
Questions (The year is 2013-hint) Provide your answers in a Word document. Please be thorough in your answers.
1. What are the potential cause(s) of the malware spreading?
2. Describe how this type of malware spread from a PC.
3. Would a disaster plan have mitigated the damage?
4. What steps should have been included in a DR plan to manage this type of disaster?
5. Should the IT team have initiated repair? Explain
6. Should law enforcement have been alerted? If so which agency?
7. What DR procedures would you suggest be in place for any malware attacks?
Use the order calculator below and get started! Contact our live support team for any assistance or inquiry.
[order_calculator]