One of the behaviors of the Trojan was to collect password hashes from compromised Windows computers. If you haven't already gotten the memo, it is an extremely bad idea to give your users administrative rights.
Malware cannot access the Windows cache of passwords, which almost always has admin credentials included, if it does not have administrative rights. Simply restricting permissions would be enough to stunt the spread of an attack like this. Additionally, the behavior of this malware is quite easy for HIPS or behavioral anti-virus to detect and block. With the multitude of techniques being used by the bad guys, analyzing the behavior of applications is critical.
The command and control for this Trojan was located on a virtual hosted server in the United States. Symantec's investigation shows that the person who owns this instance, Covert Grove, is based in the Hebei region of China. In too many high profile organizations, IT security and their users have an adversarial relationship. Additionally, IT often does not use the full capabilities of the tools they are purchasing out of fear of false positives. Blocking suspicious attachments, using proactive detection technologies and educating users could all stop this type of attack from succeeding. If you weren't one of the victims, this is a great lesson on what you should be doing to protect against the next attack.
LINK TO OUR HOME PAGE :