Security alert Aug 30, 2006

Importance: High

On August 29, we received an outside alert about infection with a Trojan.

It is likely that computers throughout State's network are vulnerable to infection. We recommend that you determine if the Trojan infected any of the computers (servers, desktops, and laptops) for which you are responsible.

Affected computers exhibit the following characteristics:

Symantec Anti-virus software displays an infection alert, and on computers with the most recent anti-virus signatures, the anti-virus software removes the Trojan. However, errant infection alerts may continue to be displayed.

Infected computers attempt to contact a host, whose IP address is 163.17.24.242, via HTTPS on TCP port 443. We suspect that the contact is made to report a successful infection. The above network traffic can severely affect network throughput over WAN links.

A malicious Windows service is running, called Local Security Authority Subsystem Service (Lsass), which runs a program in c:\winnt\lsass.exe. The legitimate Lsass runs from c:\winnt\system32.

Some hosts have a malicious Rdrive or Wcsvc service. The former service runs from file c:\winnt\system32\rdriv.sys.

Inbound management connections, administrator shares (e.g., c$) and the Remote Registry Service are disabled.

Desktops are not damaged by the Trojan.

We have not established other affects of the code's payload, how it propagates, or how it infects computers. Symantec Corporation is assisting DOIT ISO assess the malicious software’s behavior. ISO has taken steps that we believe mitigate the effects of the malicious software.

Currently, it appears that State of RI has not made any connection attempts to the infected host on the Internet.

Recommendations:

Monitor logs of outbound network traffic for suspicious HTTPS sessions, especially multiple computers accessing the same external site , such as 163.17.24.242. If you notice the infection, please notify Dmitry Kuchynski (dmitry.kuchynski@doit.ri.gov) immediately.

Ensure that all computers have the most recent anti-virus signatures.

We will continue to evaluate the affects of the Trojan and the most effective procedure for remediation. ISO will distribute an update on Wednesday.

Symantec reference: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-083012-2847-99

Please, See all DOIT InfoSec advisories at http://www.doit.ri.gov/security/advisories web site.