Combating File Infectors on Corporate Networks

In this age of botnets, rootkits, spyware, and other bleeding-edge security threats, file infectors are frequently thought of as a dead threat. Yet we continue to see classic file-infecting viruses enjoy a high degree of success in the wild ”” causing widespread damage to computer systems. This inspired me to revisit traditional countermeasures used against file-infecting viruses and propose new approaches to improving existing systems.

Last month, I got to present my research on this subject at Malware 2008 - the 3rd International Conference on Malicious and Unwanted Software. The paper is titled “Combating File Infectors on Corporate Networks” and presented below is an extract from the paper:

“We regularly come across simple parasitic infectors that manage to infect every workstation and server on the network. And administrators are at their wits’ end trying to figure how the simplest of viruses managed to spread and infect every networked machine in so little time and with such stunning effect.

Administrators routinely attend to distress calls from hapless users whenever they have an issue with their workstations. And administrators typically tend to log onto the affected workstation using their own account””which has domain administrative credentials.

For a moment, let us assume the user whose workstation was acting weird was infected with a worm/virus. What could possibly go wrong from here?

Most worms routinely scan for any alive hosts on the network using ICMP or NetBIOS broadcasts and then attempt to connect to the administrative shares of the hosts they find, using the credentials of the currently logged-on user. If the initial login attempt using a regular user account fails, the worm attempts a brute-force attack on the admin account using a predefined list of hard-coded usernames and passwords. Because most corporations have enforced complex password policies these days, brute-forcing is hardly effective.

However, when an administrator logs to the affected machine using their domain admin account, the worm now runs on the affected machine using the elevated credentials of a domain administrator. Straight away the worm can now infect and spread to any host on the domain using these newly acquired administrative credentials. And in a matter of minutes the entire network with thousands of machines gets infected””by the dumbest of worms. And all this because an ignorant administrator committed the cardinal sin of logging into an infected machine using their own account.”

Interested readers can download a copy of the paper from the McAfee Avert Labs White Papers page.