Fighting a 0-Day Ursnif.h PDF Virus

pdf virusWhat brought a local manufacturer to its knees for a week? A PDF.

On a Thursday afternoon, one of the users at the manufacturing company received an email from the parent company’s server with a PDF attachment that appeared to be a bill. This email made it through the firewall and appeared to be legitimate because the entire parent company was whitelisted in the firewall.

However, when the user opened the PDF, it set forth quite a chain of events.

The Infection

When the user opened the PDF attachment, it began to unpack a virus known as ‘ursnif.h.’ This was a zero-day attack and, while variations of this virus were known by antivirus companies, this ‘H’ version was not. Our client’s antivirus missed it, and it slipped right through the firewall and began to wreak havoc.

The virus immediately began searching mapped drives on the user’s computer for PDF files and creating copies of itself as filename.pdf.exe. Then, the next person who opened the infected PDF would copy it to his or her computer and the process would repeat. The PDFs were rendered unusable. We called our client’s antivirus vendor, who gave us a tool in order to remove the virus, but it couldn’t find the virus. We were at a loss.

It took another full day to receive a tool to identify the virus. The next day, we received an anti-virus signature that would quarantine the infected files, although this did not help remove the already-infected files. Finally, on the third day, we got the virus removal tool we needed.

Mitigation

During those three days, we removed every infected workstation from the network. All of the drive mappings and file shares were disabled in order to prevent the virus from spreading further. Nobody at the company had access to their mission-critical files. In fact, many didn’t even bother coming to work since everything was essentially dead in the water.

After we received the operational tool, the workstations were cleaned and the infected files were removed, and we put the computers back on the network. All of the infected server shares had to be restored, and a total of three full servers were restored.

Thankfully, the company had Datto Backup in place. The maximum amount of lost data added up to merely an hour. Through all of this, the company didn’t conduct any business from Thursday to Thursday – an entire week. Although we recovered all their data and eliminated the virus, a full week’s worth of business was lost.

During this week, we recreated rules and group policy objects, as well as implemented a policy that prevented users from using any external drives. We removed the whitelist rule immediately following the outbreak. From there, we installed ScanMail on the Exchange server and it quickly reported an estimated 50 percent of their emails as spam, viruses, and other questionable data.

We also finished implementing OpenDNS, which filters all DNS requests to the internet and determines which are malicious or harmful to the network, and it helped slow down the propagation of the virus. This virus was communicating with malicious websites after the replication, and OpenDNS stopped this communication while identifying the servers and websites where the communication was coming from.

A Stronger Defense Going Forward

The attitude that “it won’t happen to us” can result in a massive shutdown with expensive downtime. So, how can you prevent an occurrence like this?

First of all, make sure your firewall has tight security rules. Secondly, avoid blanket rules that allow all mail from certain servers to be received, especially when the majority of your mail comes from one server, as in this scenario. Set up an intrusion prevention system to make sure that the firewall blocks malicious content. Often, a third-party protective program is useful in assisting the firewall.

Layers Aren’t Just for Cold Weather

The important part of network security is having a layered approach. Implement AV filtering at the firewall and the backend both. Have email scans, IPS, and DNS filtering, and have each layer in multiple copies. Additionally, make sure you have proper verified backups. This company lost almost no data due to the fact they had a good backup system.

Finally, end user education is very important. While it is not certain that this user could have caught this particular virus, it is extremely important to have “human firewalls” as end users. Your users must be able to look at links and be sure they can determine if they’re going where they say they’re going and if they’re communicating as expected. End users must be mindful of the types of files they are expecting – bills, PDFs, etc. – and don’t just open every attachment that you receive. Your end users are another layer in any good protection strategy, so keep them educated on best practices and verifying sources. And, teach them that when in doubt, a five-minute call to IT to verify the validity of a questionable file can prevent a whole lot of lost productivity and heartache.

Do you have enough security layers for your business to prevent something like this from happening to you? If not, email us or give us a call: 502-240-0404!