Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Trojan outbreak on a College Campus - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Trojan outbreak on a College Campus

One of our readers just advised us that the college that he is associated with has had a major outbreak of  Trojan.Win32.Scar.bwgf (Kaspersky).  Michael reported:

"We are now in major clean up mode.  All the file servers have been removed from the network to prevent further spread.

Basically the virus hides all the files in a directory and the directory itself.  It then adds a file of 74K with the same name as the file with a .exe.  So a user wishing to open
their word document would actually be infecting themselves with the virus."

Michael asked if we had received any other reports of infection from this Trojan.  A quick look on Google it appears that some variation of this has been around for a while.  
It looks like his campus may be dealing with an updated version. 
 

If anyone else is seeing any activity for this Trojan give us a shout.  Thanks Michael for reporting this to us.

 

Deb Hale Long Lines, LLC

Deborah

278 Posts
ISC Handler
Believe Xavier and Exeter Universities had major network outages due to malicious software outbreaks in Jan of this year. Assume this isn't one of those given the malware appears to be more recent. Any links to a story, malware details, etc.?
Dean

135 Posts
What would be intersting to know is what protective measures were in place, to have a sense of where it could have been lacking.
Anonymous
With respect to "it appears that some variation of this has been around for a while" and (the lack of) "protective measures": have a look at http://www.kaspersky.com/viruswatchlite?search_virus=scar and try to manually find the "bwgf" variant.

Lost race?
Erik van Straten

122 Posts
Agree w/ you nyt. Story isn't much good w/o more info. Bitwiper, found the variant listed among the many pages of bwfg, but with no additional info. Am I missing something obvious?
Dean

135 Posts
It appears it was detected early and is under control, though variants could be an issue (as highlighted above).
Removing the file servers early prevented it's spread via shared directories.

Infection vector was likely either web-based, USB-drive, or laptop (mail gateway would have killed it). Current AV vendor (not Kaspersky) didn't detect it on either server or client. Cleanup involved new server AV product, finding&purging infected files, and un-hiding the original directories before restoring file servers. Still waiting on workstation AV vendor to provide update for full protection.

Key lessons would be:
-rethink lowest bidder AV (and this is considered an "enterprise" product)
-different vendors on server & client is a good thing
-viruses that can rename/hide/damage files can be bad even if the server is protected
Dean
1 Posts
@dsh: the "many pages" are exactly my point (look at the date and time of each new malware variant).

There is a constant flood of new variants of probably functionally the same malware, released with the sole intention to bypass AV-detection.

Although the time spent by AV-companies to collect, analyze and create a detection pattern for malware may be impressive, statistically some of their customers will get "hit" by fresh malware before their AV detects it.

As a consequence AV detection pattern files keep growing in size rapidly. As are AV memory usage and CPU load in your PC - used for the pattern matching process when scanning files, slowing down our PC's. When will we reach the point (presumed we haven't yet) that AV is too much of a burden compared to the chance of saving our day?

My apologies for not immediately clarifying my point.
Erik van Straten

122 Posts

Sign Up for Free or Log In to start participating in the conversation!