As any virus running on a network it has a pattern weather it be dormant
on the network at times or not.
Identify the pattern and where it is trying to phone home to and isolate
it from phoning home. Then Clean sweep the machines you have control of.
The worst part of any of this is that IOT devices IE(ip cameras,dvrs,
tempature monitors and others) are the real threat as they have weak
basic code that is open to the network.
Isolation will be your best bet. This will prevent DDOS attacks on one
front but doesnt stop new viruses from entering.
On 5/8/2017 10:34 PM, Steve Jones wrote:
an addendum to this, there are two primay variants to the payload. One
tends to be much more aggressive, a much more roughly defined code,
not all that pretty, but ultimately very versatile and robust. The
other is normally more elegant in design, but it tends to be
visciously malicious, this is the one to be most concerned of. Its
underlying code has started wars and destroyed nations
On Mon, May 8, 2017 at 9:49 PM, Steve Jones <thatoneguyst...@gmail.com
<mailto:thatoneguyst...@gmail.com>> wrote:
So this weekend I discovered a Trojan virus on my network.
Sometime around January we had opted to remove an old firewall
that had met its product life cycles end. We were still in the
process of deciding whether to continue with temporary firewalls
or look toward more robust input/output chain policies for a
hardened, more permanent solution. In the mean time, of course, we
continued to do the upload/download thing. We had some suspicion
that there was something going on, we noted alot of broadcast
storms, particularly in the mornings. The network had become
particularly sluggish and there seemed to be alot of application
bloat, initially i just attributed this to poor code maintenance
resulting in a memory leak.
We did a basic Netstat this weekend and discovered a traffic
anomaly. So we went to a professional and had them run a packet
sniffer. We had verification of foreign code, likely for as long
as 6-8 weeks.
It will be layer 3 in this case but its too early to tell whether
this codes payload will be TCP or UDP, we will be monitoring as
the code replicates. This is a pretty common virus, as a matter of
fact we have all had it at one point, probably so long ago we dont
even remember. We anticipate The fully formed packet chain to
leave NAT mode and be fully routed out to the WAN in December.
--
