Another Vector for Malware Spread

Those who study epidemics, talk about the spread of disease through what they call “vectors”. Some are spread through food, water, human contact, and so on. In the computer world, viruses and malware spread through vectors. Most are rather familiar, like viruses from downloading things you shouldn’t, e-mail, and so forth. Most IT types would think of only three vectors, but I want to introduce you to the fourth one.

So, what is the Fourth Vector? Basically, it is malware spread through a trusted medium such as software. What, people actually do that? Of course they do. A lot of browsers will track your Internet activities, and no, they don’t report it to some super-secret government agency. It’s much worse than that. This information is reported to advertisers who in turn target your web browser to show advertisements that might interest you. Of course that’s something most of us don’t even give a second thought.

This vector of malware spread can also come from other trusted sources. And so the question becomes, what are you doing to defend yourself? Before we try to answer that question, let me tell you a story.

Once upon a time, there was a simply brilliant, handsome (and above all, modest) system administrator who worked for a major company. The company was run by a very nice boss who made sure his company ran very informally, and everyone was happy. Then one day something dark and sinister happened. The users in the company called it “The Weirdness”.

Users experiencing The Weirdness would suddenly become unable to log on. Printers they could reach an hour ago became inaccessible. Email would stop flowing. And yet, some of the users were still happy, because they could reach what they needed. The Weirdness had passed them by. And then The Weirdness would leave as suddenly as it had come, and everyone would be happy again.

But sometimes, minutes, or hours, or even days later, The Weirdness would come back, and then vanish as suddenly as it had come, leaving our handsome sysadmin very perplexed. He spent days trying to figure out The Weirdness. But there was no figuring it out until one day . . .

A user complained she couldn’t reach a network printer. The sysadmin sat down at her workstation and typed “IPConfig /all”. As the numbers appeared on the screen, his eyes went wide with amazement.  He saw The Weirdness with his own eyes.  “That’s not our internal addressing scheme,” he stammered. “And that certainly isn’t our DNS server!”

Someplace, somewhere, The Weirdness had entered disguised as Windows Domain Controller. Knowing there were many developers who dabbled in the black arts of virtualization, the sysadmin began asking just who was being stupid out of season putting the company through security risks. He glared at the developers, watching them cringe under his steel-like gaze. But The Weirdness was not to be found with them. Searching further, he finally found the keeper of The Weirdness. It was the Wizards of Promotion, the marketing team.

“What is this?” he asked as he stared at the offending users screen.

“Oh that?  It’s a VM the main office sent us so we can look at some marketing software they want us to use,” their leader proclaimed grandly.

“It’s also the source of The Weirdness,” he said. He opened a few more windows. “This is a domain controller!” He turned it off. “I’m sorry; they installed the software on a VM that’s also a Windows Domain Controller. Worse, it’s also a DNS server and has been handing out leases, and that’s what’s been causing us so much trouble. You can’t use it,” he said.

“But they want us to test the software.”

Our sysadmin thought for a second, got on the ESXi server, and set up a virtual network that had no connection to the outside world, and then moved the offending VM to it. He called this virtual network “Vegas” because what happens in Vegas, stays in Vegas. He then limited access to the location to just the marketing team, and when finished told them:

“In the future, if they ever send you another VM, make sure you let us look at it first”. He then wrote a blistering e-mail to the corporate office concerning the incident.

And everyone lived happily ever after.

Virtualization makes it possible for us to build a setup where we can test new software before we ever introduce it into our environment. This helps us know exactly what it’s doing internally. Some things you really should watch for incoming and outgoing traffic. While there might be a lot of information to sift through, you can filter traffic and start sorting things out. If the machine you set up is trying to reach external IP addresses, you need to ask why.

Bottom line, just because you paid for it, or it was sent to you by someone you supposed to be trustable, doesn’t mean it’s good to go. Sometimes the Fourth Vector should be the scariest one of all.


Richard is a freelance IT consultant, a blogger, and a teacher for Saisoft where he teaches VMware Administration, Citrix XenApp, Disaster Planning and Recovery for IT, and Comptia Server+