The Network: A healthcare services provider with an on-site security team. The EventTracker SIEMphonic service supplements this team.
The Expectation: Robust and up-to-date (Antivirus, Next Gen Firewall) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary.
The Catch: EventTracker analysts were able to detect a Trojan that went undetected by the customer’s A/V tool. In order to find this, EventTracker’s signature features (below) were used by the EventTracker SIEMphonic analyst while monitoring:
- New Enterprise Activity
- Unknown Process
- Unknown MDF hash
The Find: The SIEMphonic analyst observed that a new process – “iexplorer.exe” – had launched on a customer system and exited after a period of time. The analyst also found new MD5 hash activity. The hash seemed suspicious to the analyst, and upon verifying, it was confirmed that the hash was malicious in nature. This catch was categorized as a Trojan process.
The Fix: The analyst immediately notified the customer and got it neutralized by re-imaging the system, isolating it from the network and using anti-malware techniques. The find was acknowledged and confirmed by the client as well. The key highlight is that customer control mechanisms, such as A/V, could not detect this at the point of entry.
The Lesson: Trojans in any environment are a threat and can be detrimental to client business. In this particular case, though the process did not look suspicious, expert analysis by the EventTracker analyst made sure that it did not go unnoticed. Trojans are the first stage of an attack and their primary purpose is to stay hidden while downloading and installing a stronger threat, such as a bot. They are often delivered to a victim through an email message where they masquerade as an image or joke, or by a malicious website that installs the Trojan on a computer through vulnerabilities in web browser software, such as Microsoft Internet Explorer.