tech blog

As an IT professional one of the first steps you need to take to protect your organization is to draft and implement an Acceptable Use Policy (AUP).  An AUP is pretty standard in most organizations and should be in place whether you have 5 or 50,000 users. If you do not have an Acceptable Use Policy you do not have to reinvent the wheel. You can find samples online that you can tailor to your uses. A few samples can be found here. Once you have drafted your policy you may need to contact your legal council for your organization before it is distributed. Next you will need to work with your HR department to ensure that this policy is communicated and each employee signs a document saying that they not only have read the policy but that they understand the policy. This is a key component of the employee signoff. Many a wrongful termination case has been proved valid because the employee simply said “they just told me to sign it, I didn’t understand.”

Now that you have your AUP in place, you must ensure that it has bite. When you have an AUP that does not have consequences it  is like an alligator with no teeth. The alligator may intimidate some but in most cases will be ignored. When you investigate AUP violations ensure that your HR team is involved, ensure that your evidence is bulletproof e.g make sure your policy states that the employee is responsible for all use with their assigned asset. This removes the “my son must have been using my company computer. etc” excuse.

Lastly, as an IT manager you need to start looking for it.  Too many managers and administrators turn a blind eye and think that this does not affect their organization. The truth of the matter is that if your organization is larger than 10 people it probably will affect your organization and no industry is immune.   One of the most recent cases that has made the news here in Vancouver has been the case with the Vancouver School Board employees at the Maintenance Shed. Several employees were caught viewing Pornography on company systems and on company time.

No matter how you personally  feel about Pornography. It is for sure offensive to some and is a legal risk for your organization. Not only do organizations need to consider lost time in productivity, but a lot of Adult websites are riddled with trojans and viruses just waiting to infect your corporate workstations. The cost to remediate these infections is costing organizations billions of dollars.

While Pornography is the predominant AUP violation it is not the only one. More and more organizations are letting their end users have local administrative rights on the workstation. This has led to everything from pirated software to freeware and shareware being installed. Taking the legal licensing risks aside, there are numerous corruption and infection risks associated.

Having a strong AUP is by no means a complete solution. It will not solve all of your user related problems. However, it is the first step in ensuring that your organization is well protected and a mandatory part of ensuring that your organization is doing it’s “due diligence”.

In 2008, across my clients I saw a lot of cases of Windows Antvirus Pro 2008 variants… Towards the end of the year and through most of 2009 I didn’t see a lot of infections. However, it looks like it has regrouped and come back in full force. I’m seeing an escalating number of FAKEAV infections with my clients. I’m still investigating on how the infections got there because the users stretch across a lot of different roles … developers, merchandisers and accountants. Unfortunately, Web history and Installed Application hasn’t been a help.

I do know however have a remediation plan.

Step 1. Download Combofix from a reputable source on a clean working workstation

Step 2.  Copy the combofix executable to a USB drive.

Step 3.  Reboot the workstation and load Windows in Safe Command Prompt Mode

Step 4. Run the Combofix Executable off the USB drive

Step 5. Let the Computer reboot and Combofix to complete.

Step 6. Use an Antivirus client other than TrendMicro (as it won’t see the virus… it’s useless I know) to complete a scan on the remdiated workstation. It should come up with an all clear.

Step 7. Return the workstation back to the enduser.

On the variant that is out right now this remediation path has been very successful for me. I hope it is for you..

In any organization one of it’s greatest assets is it’s employees. However, in the information age of it’s greatest liabilities is it’s employees.  I cannot tell you the horror stories of compromised information and systems that I have across in my days as a System Engineer.   In my current role, I frequently get escalations and automated notifications on compromised workstations. The initial part of investigating these workstation often needs to be done without the end user’s knowledge and interaction. This means I need to leverage 3 different interfaces (WMI, RPC and FS). The first thing that I want to know is…

What has the end user installed?

If your users are anything like my end users, they violate the Acceptable Use Policy (AUP) with great vigour. They install all kinds of garbage on their notebook that A) has no business purpose B) comes with hidden bonus items such as trojans and backdoors. C) Violates various licensing laws and rules.

My primary method of investigating installed Software is with the SCCM Resource Explorer tool. This leverages the WMI interface and gives me a nice list of installed products. If i start seeing items such as Bit-Torrent clients I automatically know that this is not going to end well. 

Sometimes though for some strange reason the workstation i’m trying to investigate does not have the SCCM client on it. This is when use a great free tool from the folks at Manage Engine. They come out with some free tools that allow you to leverage the RPC interface. One of the tools included in the package is one called Software Inventory. This tools connects to the remote machine and uses your admin credentials to create a list of Software Installed.

Once you know what is installed you can go ahead you often have a good idea what you are dealing with. Often it’s just time to reimage the workstation. However, if you don’t have any evidence to support the reimage. You then need to proceed further the next step is investigating the applications in the ‘Startup’ category.

MSCONFIG

MSConfig is a great place to look for viruses/trojans that start with the workstation. In the last year though, I’ve noticed that the trojans are getting a lot more tricky and do not show up in MSConfig.

Trend Micro – HiJack This

HiJack this used to be an opensource tool until it was bought by Trend Micro. This tool allows you to see what starts when the operating system is powered up. What Browser Helper Objects are integrated into the browser. If you start to see items and DLL’s registered that should not be there. You definitely might want to investigate further. Trend still offers HiJack This for free on their website or at download.com

Run Once

The next place you want to look is the “Run Once” portions of the Windows Registry. This is often where Trojans and Viruses hide themselves.  The Registry Keys that you want to look at are:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Services

The services MMC console is another great place to look for Viruses and Trojans. A quick perusal of the running services might indicate an infection and depending on the infection will determine the remediation.

If after investigating these areas you still suspect an infection there are numerous types of free tools that you can use.

1. Sysinternals RootKit Revealer

2. Gmer

3. F-Secure BlackLight

In the organization I currently work for we had a scenario where a certain area of users did not get patched and ended up getting infected with the Conficker Virus. Sophos Software has created a great tool to remove the Conficker Worm/Virus it can be found here.

The information security world is definitely a scary one and there is definitely a lot at stake. You don’t need to know necessarily everything  about every virus that comes out. It is simply a matter of knowing the key parts of the system to investigate and learning to use Google to investigate the methodology your infection uses as well as the impact on the system.

If you have any questions or need a little extra help. I’d be glad to lend a hand chris (at) chrismadge.com

The makers of Sentry and FamilySafe Protection Software has been apparently gather data from IM chats and selling it to it’s “Trusted Partners” (EULA) hmm… Can this be considered a mild Trojan horse?!?

Hit the Link for the full story