July 19, 2010 Leave a comment
Today there are, as usual, a number of active botnets, zero day exploits and purveyors of miscellaneous malware. The one that has received all the publicity is the Windows LNK file exploit which seems to be designed to attack Siemens SCADA systems. Another one that popped up on the Shadow server listserv is a new sort of malware that packed in such a way that it is not detected by any current anti-virus program – and that will mutate easily to evade the detection algorithms of most anti-virus programs.
For a network admin or similar, both of these are nasty because the proactive workarounds to protect against both are intrusive and result in significantly degraded user experience assuming you can actually apply them to all the computers under your control.
If you are in charge of a network and aren’t a ThreatSTOP subscriber then you will probably spend a lot of time trying to figure out how serious these threats are, whether your users/servers have got infected and how to stop the inevitable “call home” from the infected computers on your network to the C&C hosts of the cyber-criminals who seeded the malware. And quite possibly you will decide that there really aren’t enough hours in the day to permit any worthwhile countermeasures and drown your sorrows in drink.
We know the feeling! But at ThreatSTOP we can solve this problem, and all our subscribers have to do is check their firewall logs to see if they have infected computers. ThreatSTOP’s ThreatList is updated every two hours with the latest list of known C&C hosts (including those involved in the above attacks) and when that list is applied to your firewall they block – and log – all attempts to contact these machines by your computers. So even if you run a factory with 5001 Siemens SCADA devices you don’t need to worry about updating the security of all of them just in case because even if they do get infected they can’t talk to the originators of the exploit so your data is safe. And if an infected computer does try to “call home” the attempt is logged so you can go and fix it.