Fighting W32.Spybot.Worm

Over the last three days I have had the pleasure of assisting one of my clients with a serious virus infection. The circumstances which led to their infection are enough to warrant a blog entry all by themselves—but the fact that this was a new virus should make this both an entertaining and informative article.

Three Strokes of Bad Luck
Let me start by saying that this client is very security conscious. They employ the latest firewall technology. They use an industry-standard antivirus product suite. They even refer to my patch baseline spreadsheet and use Microsoft SUS to ensure that they are protected against the most critical Microsoft vulnerabilities. However, even all these technologies were unable to protect them from our friend W32.Spybot.Worm.

The first stroke of bad luck hit when their Exchange 2000-based antivirus product experienced a hiccup and let a few virus-infected attachments get into the network (it is programmed to block typical virus attachments ending in .pif, .bat, .exe, etc.) Now, in a perfect world this would never happen—but anyone who works with technology can tell you the world is far from perfect. The product in question is Symantec Antivirus for Exchange 4.5.2, which is actually a good product. Regardless, for some reason it had been misbehaving for a few days. Unfortunately, no one had looked at the Symantec logs to discover this until after the infection was already underway. Chalk this one up to bad luck exacerbated by overworked network administrators.

The second issue has to do with the W32.Spybot.Worm itself. This virus has been around for more than a year and consists of over 1000 variants. Unfortunately, for my client, the virus that made its way into their network was a new variant that had not been seen before. This means that all their virus protection was worthless since it did not “recognize” the signature of this version. Remember that antivirus products are reactive by nature—they are only as good as their definitions. And how are the definitions updated? You guessed it; people submit suspected viruses to the antivirus software vendor for analysis and inclusion in the next round of definition updates. That is exactly what happened in this situation. After a lengthy phone call with Symantec, they determined that we indeed had a new variant of W32.Spybot.Worm. We uploaded the files we thought were infected (which we sniffed out the old-fashioned way) and they wrote a new set of definitions. It took them almost 24 hours to get the file up on their web site. That is a long time to wait when 80% of your workstations are infected.

The third and final circumstance that led to this situation getting out of hand is missing patches. As I said earlier, the client uses SUS to deploy Microsoft critical security updates. Unfortunately, they had missed one important update known as MS04-011. Even less fortunate was the fact that the W32.Spybot.Worm variant that found its home on a couple machines via e-mail was now spreading throughout their network due to the MS04-011 security vulnerability. If all their workstations had the MS04-011 patch applied then the virus would have been confined to the few machines that received and opened infected attachments. However, the virus was able to spread beyond these initial machines WITHOUT user interaction. After much research and discovery, we came to the realization that the only machines not infected were Windows XP machines running SP2 and most of their servers that had the MS04-011 patch installed.

Preventing Future Outbreaks
Now that we have looked at the circumstances that led to the infection, let’s talk about some methods of preventing this type of incident.

1. Monitor your logs: It is possible that if the issue with the Exchange e-mail scanner had been discovered and fixed the virus wouldn’t have made it into the network in the first place. The Exchange e-mail scanner would have blocked the entire message due to its attachment name even though it did not know about this particular variant of W32.Spybot.Worm.

2. Audit your systems: Missing a critical patch the first time around is a legitimate mistake. Nevertheless, not auditing the systems on a regular basis to ensure the patches are distributed and installed correctly is a serious mistake. Granted, SUS v1 does not have built-in reporting capabilities, but the free Microsoft Baseline Security Analyzer can be easily configured for automated scans of the entire network. These scans can look for missing critical updates and alert the administrators that the initial installation was unsuccessful.

3. Block outbound traffic through your firewall: One of the methods this virus uses to propagate throughout the network is to download additional virus files from a remote server via FTP. Had the client’s firewall been configured to block these outbound FTP requests the virus may not have spread as efficiently. Most firewalls should only allow outbound web (http) and secure web (https) traffic by default. All other protocols should be blocked by default and exceptions made on a case-by-case basis. For instance, servers will most likely need access to other services such as DNS and SMTP. However, leaving outbound traffic wide open is not the best security strategy.

4. Use host-based intrusion detection: This is an awful big stick… but something that more organizations are warming up to. Host-based IDS is designed to monitor the behavior of the machine itself, looking for suspicious activities such as buffer overflows, unknown files writing themselves to critical system folders, etc. McAfee is beginning to offer this type of protection with their corporate antivirus products. It is not the best host-based IDS product on the market—but it is a sign that the technology is becoming more mainstream. My company is a Cisco partner and we recommend Cisco’s best-of-breed host IDS product called CSA. You can learn more about host IDS products by searching Google or visiting McAfee or Cisco’s web sites.

That’s all for this blog entry. I may expand on some of the points here in future articles. Drop me a comment if something is of particular interest.