So this weekend I discovered a Trojan virus on my network. Sometime around
January we had opted to remove an old firewall that had met its product
life cycles end. We were still in the process of deciding whether to
continue with temporary firewalls or look toward more robust input/output
chain policies for a hardened, more permanent solution. In the mean time,
of course, we continued to do the upload/download thing. We had some
suspicion that there was something going on, we noted alot of broadcast
storms, particularly in the mornings. The network had become particularly
sluggish and there seemed to be alot of application bloat, initially i just
attributed this to poor code maintenance resulting in a memory leak.
We did a basic Netstat this weekend and discovered a traffic anomaly. So we
went to a professional and had them run a packet sniffer. We had
verification of foreign code, likely for as long as 6-8 weeks.
It will be layer 3 in this case but its too early to tell whether this
codes payload will be TCP or UDP, we will be monitoring as the code
replicates. This is a pretty common virus, as a matter of fact we have all
had it at one point, probably so long ago we dont even remember. We
anticipate The fully formed packet chain to leave NAT mode and be fully
routed out to the WAN in December.
