A FYI for anyone/everyone tracking the malware which compromised one of the world’s largest systems management software, Solarwinds.
What is Solarwinds:
A very popular, easy to use application used to manage both very small and very large networks of computers.
Scope of compromise:
Everywhere the Solarwinds Orion software is installed both on servers and desktops. Not OS specific although more popular in the MSWindows world. Deployed widely on US Federal government computers at all levels, purportedly including highly secure systems used for all levels of secrecy.
The Russians are accused of compromising Solarwinds somewhere (currently undetermined) and was able to insert code which was then compiled into DLLs downloaded to MSWindows machines
Exfiltrating valuable data in streams disguised as normal application traffic.
Although there is apparently no authorized method for removing the malware (I’ve published a solution that should work), affected Solarwinds machines are extremely ubiquitous in many large networks and records may not exist where it has been installed.
Solution to identifying Solarwinds vulnerable machines:
Linux to the Rescue!
On the following page published by Fireeye, I recognize two extremely popular IDS/Antimalware apps, SNORT and ClamAV. Fireeye (The security research team which identified the compromise) has written rules for each. I don’t write ClamAV scripts so can’t evaluate what is being detected/tested, could this be valuable to JCDole’s ClamAV script project?