Find out how Donovan Colbert used his TF300 Transformer tablet/convertible to safely manage a virus in his Windows shop.
Many IT professional have recently become acquainted with the W32.Changeup virus. It joins Win32.Funlove and W32.Klez as some of the most memorable viruses I've had the displeasure of dealing with in the last decade. However, I did manage to come away with a key benefit to allowing BYOD hardware in your corporate environment during this experience.
W32.Changeup is a very rapidly spreading virus that attacks Windows user shares, turning all folders at the root level into hidden files and creating executable payloads that have the same name as the shares and have icons that look like folders. When a user clicks on the executable that's disguised as a share, the virus infects their machine, doing the same thing to any attached USB drives or shared drives on the user machine.
As a Windows 32 shop, I generally keep at least one Linux box running somewhere. After a recent reorg and office move, my trusty old Linux box disappeared, and I hadn't gotten around to rebuilding a new one. Fortunately, I quickly realized I had a better solution available.
I tagged along with a desktop support agent as he responded to an infected client's machine. At this point, they had been running a scan from external USB to clean the virus. When we inserted a USB drive with the cleaning executable on it, the virus instantly infected the thumb drive.
Up until this point, we didn't have a contained copy of the virus. I quickly grabbed the thumb drive and took it back down to our lab and built isolated machines to test and document the behavior of the virus. The issue dragged on, and we struggled to contain the virus. Eventually, we worked with our AV vendor by sending a copy of the virus to determine why their .dats weren't detecting it — and as suspected, our infection was an unknown variant. Supplied with copies of our virus, they were quickly able to develop a new .dat that detected and cleaned it, which was the tipping point for containing the outbreak.
My TF300 Transformer was instrumental in my ability to safely manage the virus on a non-Windows platform. I was able to insert the USB drive into the Transformer, copy the executables to the device, and with the aid of AndroZip File Manager, create an archive of the infected files for safely sending the examples via FTP to our AV vendor.
As an additional bonus, in ASTRO File Manager / Browser, the popular Android-based file explorer utility that supports SAMBA mapping, the technique of hiding the actual folders while creating executables with the same name was quickly exposed as well. Viewing the folder showed the hidden folders by default, and the disguised folders did not display windows icons — instead of folders, they appeared as executables. During the virus response, my Windows laptop was disconnected from the corporate network the entire time, but I attached my Android convertible to the network without fear throughout the event.
Now granted, this isn't anything that you couldn't do on a Linux or Mac box, but for many Windows-only shops, especially with SMBs or consultants, there aren't many less expensive yet versatile ways to approach enterprise security roles and tasks on a Windows network with virtually no risk to your device. I think that this enterprise use for Android devices hasn't really received enough consideration.
Of course, this isn't the only situation where a non-Windows machine is useful. Users frequently forward me email that's clearly spam that contains attachments or links. I always do my due diligence and check out the headers and verify that the envelop has spoofed information, but it's helpful to look into it a little deeper and find out what the attachment is and where any links lead to.
There are various methods for getting spam email and attachments to your Android device, but frequently, I simply connect in Chrome mobile using Outlook Web Access. From there, I can examine the email and follow links or open attachments with higher confidence than doing so on my Windows machines. Executive staff is concerned about false positives, so this allows me to confirm, without a doubt, that a message is malicious, and then I can craft a more detailed alert email to our users describing the attack and its goals. I'm also able to securely determine IP addresses or ranges that should be blocked at the firewall and in Exchange, plus send detailed abuse reports to the ISPs where compromised servers reside.
A full-featured Android tablet can be an indispensable part of an IT pro's toolbox, once you start thinking outside of the box and realize it can do more than serve up Facebook and Angry Birds apps. Are you using your mobile device in any creative ways to achieve enterprise goals in your shop? Share your experiences in the discussion thread below.