Update: Antivirus software didn't help in zero-day malware attack on power plant

Zero-day attacks can overwhelm security and information event management equipment

When the zero-day attack known as the "Here You Have" virus not long ago hit about 500 PCs at the Salt River Project, a large public power utility and water supplier for Arizona, it turned out that the antivirus software in use provided no defense.

Researchers tout unique automated firewall fault

"It wasn't any help," says Ty Moser, network and smart grid analyst for Salt River Project. The "Here You Have" virus, arriving in mid-September as e-mail with a fake PDF, burrowed past the McAfee and Symantec antimalware software when the e-mailed victim clicked on the attachment, which appeared to be from someone known. 

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

When the zero-day attack known as the "Here You Have" virus not long ago hit about 500 PCs at the Salt River Project, a large public power utility and water supplier for Arizona, it turned out that the antivirus software in use provided no defense.

Researchers tout unique automated firewall fault

"It wasn't any help," says Ty Moser, network and smart grid analyst for Salt River Project. The "Here You Have" virus, arriving in mid-September as e-mail with a fake PDF, burrowed past the McAfee and Symantec antimalware software when the e-mailed victim clicked on the attachment, which appeared to be from someone known. 

In fact, the security and information event management (SIEM) equipment being used since last May at Salt River Project to monitor events, troubleshoot the network and provide log management, turned out to be the best weapon available to go into hand-to-hand combat against the "Here You Have" virus.

While the antivirus software was knocked out of commission by Here You Have, the SIEM gear called QRadar from Q1 Labs was able to detect the PCs at Salt River Project that had been hit by analyzing the abnormal behavior infected PCs started to show.

That's because each infected PC was suddenly detected trying to "call home" to an unknown command-and-control system on the Internet and spreading as spam via Microsoft Outlook.  Moser says the QRadar SIEM gave IT staff a way to track down infections and manually cleaning them up, while it took about a day for McAfee and Symantec to provide the needed security updates, with McAfee slightly faster, Moser says.

But at the end of the battle to beat back Here You Have, it was evident that the antivirus software "didn't work" in blocking the zero-day attack, Moser says.

Some analysts think the Here You Have mass e-mail virus -- which is also known to have hit Comcast, Google, Coca-Cola and NASA, among others -- may have been a targeted attack to hit specific companies and federal agencies, even an attack on critical infrastructure, rather than just a more random blanket e-mail blast. Moser also shares those suspicions.  The FBI is investigating.  An anti-U.S. hacker, apparently angry about Iraq and a threat made by a pastor in the United States to burn the Koran, claims credit for unleashing Here You Have, though no arrests have yet been made.

Finding help in beating back a zero-day attack such as Here You Have wasn't the main purpose when Salt River Project last year started looking into acquiring SIEM gear. Rather, the primary goal was ensuring compliance with the Critical Infrastructure Protection (CIP) rules for utilities that are set down by the  North American Electric Reliability Corp. 

One CIP rule requires retaining logs for considerable time. And in general, it's necessary to be able to send out alerts related to failed long-in attempts. As part of this regulatory requirement, "NERC sends out teams to audit -- they pick a random date and say, 'I want to see the logs,'" Moser says, noting that NERC wants to know how the power plant detects and responds to anomalies.