Update: Antivirus software didn't help in zero-day malware attack on power plant

When the zero-day attack known as the "Here You Have" virus not long ago hit about 500 PCs at the Salt River Project, a large public power utility and water supplier for Arizona, it turned out that the antivirus software in use provided no defense.

Researchers tout unique automated firewall fault

"It wasn't any help," says Ty Moser, network and smart grid analyst for Salt River Project. The "Here You Have" virus, arriving in mid-September as e-mail with a fake PDF, burrowed past the McAfee and Symantec antimalware software when the e-mailed victim clicked on the attachment, which appeared to be from someone known.

In fact, the security and information event management (SIEM) equipment being used since last May at Salt River Project to monitor events, troubleshoot the network and provide log management, turned out to be the best weapon available to go into hand-to-hand combat against the "Here You Have" virus.

While the antivirus software was knocked out of commission by Here You Have, the SIEM gear called QRadar from Q1 Labs was able to detect the PCs at Salt River Project that had been hit by analyzing the abnormal behavior infected PCs started to show.

That's because each infected PC was suddenly detected trying to "call home" to an unknown command-and-control system on the Internet and spreading as spam via Microsoft Outlook.  Moser says the QRadar SIEM gave IT staff a way to track down infections and manually cleaning them up, while it took about a day for McAfee and Symantec to provide the needed security updates, with McAfee slightly faster, Moser says.

But at the end of the battle to beat back Here You Have, it was evident that the antivirus software "didn't work" in blocking the zero-day attack, Moser says.

Some analysts think the Here You Have mass e-mail virus -- which is also known to have hit Comcast, Google, Coca-Cola and NASA, among others -- may have been a targeted attack to hit specific companies and federal agencies, even an attack on critical infrastructure, rather than just a more random blanket e-mail blast. Moser also shares those suspicions.  The FBI is investigating.  An anti-U.S. hacker, apparently angry about Iraq and a threat made by a pastor in the United States to burn the Koran, claims credit for unleashing Here You Have, though no arrests have yet been made.

Finding help in beating back a zero-day attack such as Here You Have wasn't the main purpose when Salt River Project last year started looking into acquiring SIEM gear. Rather, the primary goal was ensuring compliance with the Critical Infrastructure Protection (CIP) rules for utilities that are set down by the  North American Electric Reliability Corp.

One CIP rule requires retaining logs for considerable time. And in general, it's necessary to be able to send out alerts related to failed long-in attempts. As part of this regulatory requirement, "NERC sends out teams to audit -- they pick a random date and say, 'I want to see the logs,'" Moser says, noting that NERC wants to know how the power plant detects and responds to anomalies.

Salt River Project narrowed down its search related to SIEM and log-management gear to vendors that include RSA with its enVision product, Splunk, LogLogic, ArcSight and Q1 Labs. After a production-level test period, Q1 Labs was selected because it "did a good job" in holding down the number of false positives. "There's not a lot of bogus stuff," Moser says.

Today, the Q1 Labs' QRadar can take feeds from a variety of intrusion detection/prevention systems, firewalls, routers, switches, Web proxies, and Windows and AIX servers, while Salt River Project is expanding use of SIEM with monitoring application-system logs.

QRadar has been helpful in many troubleshooting scenarios, Moser says, noting "if a cluster fails over, and the primary is down, it sends an alert." But he adds takes some work to set up a SIEM like QRadar to get the most from it. "If you want to get value out of it, it's time-consuming."

Yet another "Zero-Day" attack last week

Yet another type of zero-day attack came to light last week, as Microso issued a warning about an exploit underway in the wild against older version of Internet Explorer -- with versions 6 and 7 seen as most vulnerable -- though Microsoft did not immediately provide a patch for the hole.

Symantec Director of Global Intelligence Network Dean Turner described how the new zero-day attack, which had been known for a few days prior to its public acknowledgment by Microsoft and security vendors, works.

Basically, unknown attackers had compromised one public Web site in the United States to exploit the zero-day hole in the Microsoft browser when a visitor went to the site, which then shunted the victim off to another compromised public Web site in Poland, where a malicious download was unleashed on the victim's machine to take remote-control access of it.

Turner declined to name the compromised Web sites but said Symantec, which had prepared an update in its products to guard against the zero-day, had contacted both and the malware problem was being cleaned up.

Roll your own antivirus signatures?

Given that antivirus vendors may not be in a position to instantly deliver a signature update when a zero-day attack rolls around, one security firm, HBGary, last week announced a tool called Inoculator intended to let enterprise security managers check Windows-based computers for malware, remove it and immediately prepare their own antivirus signature on the fly and install it to prevent reinfection during zero-day attacks.

Greg Hoglund, CEO of HBGary, says he decided to build the tool, which is an appliance that scans machines for malware using an agentless approach, based on the idea of the "digital antibody" because he saw several security managers using home-made tools of this kind especially to fight off zero-day attacks.

Inoculator, now in beta and expected to ship at year-end, isn't intended to wholly replace antimalware software hosted on machines. But it raises questions about how well this approach -- installing an antivirus signature on the fly -- would work alongside antimalware software that would presumably be updated and scan for similar problems.

There are basically two types of zero-day attacks -- one that researchers have discovered and usually keep quiet about until a product vulnerability is fixed, or a zero-day vulnerability uncovered by attackers and quickly exploited by them in the wild until the security community reacts.

"Is every day a zero day? I don't know. Nobody knows," Turner says. "We don't know what we don't know, and it's hard to defend against something we don't know is a problem."

Read more about wide area network in Network World's Wide Area Network section.

Join the PC World newsletter!

Error: Please check your email address.

Tags mcafeesymantecQ1 Labssecurityzero-day attackssoftwareanti-malwareSIEM

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?