The Network: A financial firm headquartered in the Midwest U.S. with several hundred servers and workstations.
The Expectation: Critical data is on the servers – they bear close watching; workstations are less critical – they don’t bear close watching.
The Catch: EventTracker Intrusion Detection inspecting all north/south traffic detects the download of a Java archive in Pack200 format from a workstation. The absence of monitoring at the workstation level limits visibility.
The Find: The workstation user was a victim of a drive-by attack where the Java is used to exploit the system and execute the malware. In this case, the java file (not inherently malicious on its own) reaches out and downloads the actual malware from a remote Dropbox account. It then installs the malware as a service on the system, silently.
The Fix: Quarantine the workstation, uninstall Java and run a deep scan. For maximum safety, re-image the hard drive.
The Lesson: Workstations are often the weakest link and should be monitored. Attackers establish a beachhead on the least well defended machine in the network and spread laterally from there.