Antivirus software didn't help utility with malware attack

When the zero-day attack known as the "Here You Have" virus hit about 500 PCs at the Salt River Project, a large public power utility and water supplier for Arizona, it turned out that the antivirus software in use provided no defense.

"It wasn't any help ," saiys Ty Moser, network and smart grid analyst for Salt River Project. The virus, arriving in mid-September as e-mail with a fake PDF, burrowed past the McAfee and Symantec anti-malware software when the e-mailed victim clicked on the attachment, which appeared to be from someone known.

In fact, the security and information event management (SIEM) equipment being used since last May at Salt River Project to monitor events, trouble-shoot the network and provide log management, turned out to be the best weapon available to go into hand-to-hand combat against the virus.

While the anti-virus software was knocked out of commission by "Here You Have," the SIEM gear called QRadar from Q1 Labs was able to detect the PCs at Salt River Project that had been hit by analyzing the abnormal behavior the PC started to display.

That's because each infected PC was suddenly detected trying to "call home" to an unknown command-and-control system on the Internet and spreading as spam via Microsoft Outlook. Moser said the QRadar SIEM gave IT staff a way to track down infections and go through the process manually cleaning them up, while it took about a day for McAfee and Symantec to provide the needed security updates, with McAfee slightly faster, Moser says.

Some analysts think the "Here You Have" mass e-mail virus -- which is also known to have hit Comcast, Google, Coca-Cola and NASA, among others -- may have been a targeted attack to hit specific enterprises and federal agencies, even an attack on critical infrastructure, rather than just a more random blanket e-mail blast. Moser also shares those suspicions. The FBI is investigating. An anti-U.S. hacker, apparently angry about Iraq and a threat made by a pastor in the United States to burn the Koran, claims credit for unleashing "Here You Have," though no arrests have yet been made.

Finding help in beating back a zero-day attack wasn't the main purpose when Salt River Project last year started looking into acquiring SIEM gear. Rather, the primary goal was ensuring compliance with the Critical Infrastructure Protection (CIP) rules for utilities that are set down by the North American Electric Reliability Corp.

One CIP rule requires retaining logs for considerable time. And In general, it's necessary to be able to send out alerts related to failed long-in attempts. As part of this regulatory requirement, "NERC sends out teams to audit -- they pick a random date and say, "I want to see the logs,'" Moser says, noting NERC wants to know how the power plant detect and respond to anomalies.

Salt River Project narrowed down its search related to SIEM and log-management gear to vendors that include RSA with its enVision product, Splunk, LogLogic, ArcSight and Q1 Labs. After a production-level test period, Q1 Labs was selected since it "did a good job" in holding down the number of false positives. "There's not a lot of bogus stuff," Moser says.

Today, the Q1 Labs' QRadar can take feeds from a variety of IDS/IPS, firewalls, routers, switches, Web proxies, and Windows and AIX servers, with Salt River Project is expanding use of SIEM with monitoring application-system logs.

QRadar has been helpful in many trouble-shooting scenarios, Moser says, noting "if a cluster fails over, and the primary is down, it sends an alert." But he adds takes some work to set up a SIEM like QRadar to get the most from it. "If you want to get value out of it, it's time-consuming."

Read more about security in Network World's Security section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?