Friday April 19th 2013 was not like any other Friday. My Fridays at work are usually fairly low key. It’s usually when I can get caught up and just make sure everything is in order heading into the weekend. However at about 9 am all hell broke lose.
It started with a user coming and talking to my fellow systems administrator saying that her network drives weren’t working. He took a look and thought it was a piece of malware. I soon got a call after that. It was at this point that we realized something, besides malware, was doing damage and we called in reinforcements. By 10 AM we’d shut down our network and shut down most of the non-vital computers. It was touch and go the rest of the day, but in the end we got the paper out the door and were a little worse for wear.
So here’s how you survive VOBFUS.
- – Lots of caffeine. We put in 20 hours on Friday, 8 on Saturday and a lowly 4 on Sunday only to begin the work week on Monday. The most I’ve worked on any day and most of it was on adrenaline. A little over one week later and I’m now just starting to feel normal.
- – Shut your network down. This actually may not help you now but the iteration we had would contact it’s ‘mothership’ and get new variations or other pieces.
- – Look for other antivirus providers and see if they have a solution. This site, VirusTotal.com, is a great resource to see what you have and who has a patch out for it. The only problem is that green does not mean they have a solution.
- – Educate your users. I think this will help a bit, but in the end people who are writing virus/worms are probably not going to be easily detected. They’ve become great at social engineering through e-mail, websites and other stuff. This worm by the way comes in through websites, e-mail and external devices (hard drives, flash drives etc)
- – Lastly to NOT catch VOBFUS just disconnect your computer from the internet!!! It’s only going to get worse as more and more people rely on the internet for everything.
Hopefully this week I can get some more information on PyroCMS.