Go to Home Page   IT ServiceLink IT ServiceLink Telephone us on 01206 235000
About us

Software Development
       Legacy Software Maintenance
       Project Life Cycle
       Bespoke Software Development
       Corporate Hosting
       Business Process Automation
       DotNetNuke (DNN) CMS Website Package
       Search Engine Optimisation (SEO)
          SEO Website Survey Report
          SEO Blog
       Nesox Email Marketing
       e-Commerce Services

IT Infrastructure
       Hardware Supply
       Software Supply
       IP Telephony
          Avaya
          Swyx
          Avaya Case Study
          Swyx Case Study 1
          Swyx Case Study 2
       Security Products
          BorderWare
          Kaspersky
             Kaspersky Open Space
             Kaspersky Case Study
       Networking
          Draytek

Professional Services
       Customer Relationship Management (CRM)
          ACT! By Sage
          Microsoft Dynamic 3.0
       IT Infrastructure Optimisation
       IT Security Planning
       Business Continuity Management (BCM)
       Digital Sealing

IT Support Services
       Network Management
       Virtual IT Department
       IT Help Desk
       IT Support Framework
       IT Security Updates
          Microsoft Bulletins
             July 2009
             Emergency Patch Release July 2009
             August 2009
             September 2009
             October 2009
             November 2009
             December 2009
             January 2010
             Emergency Patch Release January 2010
             February 2010
             March 2010
       Disaster Recovery

Contact us
  Home >> IT Infrastructure >> Security Products >> Kaspersky >> Kaspersky Case Study 12 March 2010  
Kaspersky Case Study

Case Study – Issued 12th June 2009

Reactive Fast-track rollout of Kaspersky Antivirus

 

Overview

This document provides a general summary of the process followed by IT Servicelink, and subsequent findings, during a major virus outbreak at a client’s site in June 2009


Our client, an SME in the printing industry, is a fast paced company which is heavily reliant on their IT Infrastructure for sales, marketing, production and office management. They have 25 desktop computers and a Windows Small Business server, operated across 2 sites. Their primary antivirus protection systems were Sophos on the Server and Workstation farm and Sophos Pure Message Spam & Virus Filtering on their Exchange Server.


The Situation

We were initially advised by the client that they had started to receive a large number of email bounce back messages – indicating that their email server or another email component on their site had being sending Spam.

Our diagnostics discovered the Administrator password for the domain had been changed, and their overall server and site security integrity was compromised.

The hacker’s had subsequently installed a mass email system on the server, allowing it to be used as part of a Spam Botnet – sending thousands of spam messages every hour.

We immediately started defensive measures to discover the nature of the compromise, and minimise the risk to the client.

The Solution

We initially spent time removing access to the server, including retrieving the administrator account and securing. We restored control over the server and updated the existing antivirus database which then allowed us to run a deep scan of the server and workstations. Sophos did not find anything on the server or workstations. Having taken several hours to run, we were not any closer to finding the point of entry for the compromise. At this stage, our next step was to sanity check the scan by running a second scan with an alternative product, Kaspersky.

Using Kaspersky’s free online scanner we ran a second deep scan over the server. Within a few minutes Kaspersky highlighted a number of potential risks. A specific Trojan was discovered that allowed remote access to the server - Backdoor.SdBot was highlighted as the potential compromise. The scan found several other Trojans within files and emails on the server previously undetected by Sophos.

Using established methods we removed the Trojans to stop any further access, although we had already closed any compromised back doors to the server with changes to the access points such as VPN, remote desktop, user accounts. SMTP, TCP/IP ports etc. We also searched for any changes that may have been made to the server, specifically to email and Exchange. At this point we had dramatically reduced the outgoing spam and stopped access to the server via the Trojan.

Having restored some stability, the next step was to evaluate the current security and quickly plan a solution to reduce the risk of any further attacks and mitigate the impact to the business. Kaspersky had discovered problems where Sophos had clearly missed them. A change of Antivirus solution was high priority and needed implementing quickly and efficiently. The initial compromise had already created a serious risk and the business operation had suffered financially as a consequence. IT ServiceLink implemented the necessary licence keys for Kaspersky Antivirus to the Desktops, servers and email scanning.

Using the Kaspersky Administration kit, which had been installed on the server, we deployed tasks to uninstall any existing antivirus software and roll out the new Kaspersky solution to all desktops and server. This was a relatively speedy process - within 90 minutes of starting the deployment on all desktops & server, they had up to date antivirus definitions and software from Kaspersky installed and running.

The Kaspersky software kicked off a scan in order to identify any immediate threats. The next task was to ensure all desktops and the server ran a deep scan to discover any risks. The scans discovered many further infections and cleaned them all successfully. This process was managed centrally via the Administration kit on the server. Finally, we were happy that any threats were now removed and the clients IT environment was secure.

Our next procedure was to ensure that our customer was protected from any future exposure to this kind of malicious attack. We deployed the Kaspersky Hosted Security Service – a proactive solution which scans and monitors all email traffic before it reaches the client site and exchange mail server. This alone considerably reduces the risk of infection as well as minimising the amount of spam received by the mail server. This gives an additional advantage for the client by removing the resource requirement and load on the server that the Pure Message software required to scan the email traffic.

Conclusion

We have dramatically reduced the potential risks and expense to our clients business. However, this has been obtained at a cost;

·         £1400 - The cost of Engineering time to evaluate and discover the problem, fix the compromise and implement a new antivirus solution to clean up the environment of any potential threats  

·         The cost to our client in loss of productivity however has been significantly more due to the IT systems being compromised. The cost of having 25 staff unable to perform their business functions for 2 days has run into thousands of pounds.

·         Potential loss of digital reputation such as email blacklists? This is hard to quantify but undoubtedly there will be considerable financial consequences, both in loss of revenue and any expense required to re-build any damaged reputation.

In essence, this is due to something quite simple. Unforseen expense, exposure to risk and loss of income are unwanted outcomes for any business, particularly in the current economic climate. An efficient Antivirus solution is not the only way to prevent these issues. However, as part of a good best practice security model, Kaspersky Antivirus is essential to minimise the risks.

Services


Accessibility  |  Privacy  |  Terms Of Use  |  Site Map

A Microsoft Certified Partner © Copyright 2009 IT ServiceLink LTD A Microsoft Small Business Specialist