A few months ago I was attending a conference in Orlando. It was cold by Orlando standards, and the locals, mindful of their dependence on tourism during a recession, were apologetic - that is, especially hospitable. It was a productive meeting and I had a bounty of business cards and URLs to check out. An hour before leaving the hotel for the meeting's second day, I connected to the hotel network and browsed a few sites. One of the sites, an engaging blog, featured a lively set of comments with a blog post, so I absentmindedly clicked through the comments. I paused to answer a knock at the door, and returned to find that a bit of malware had begun to take over my Windows notebook.
This preamble explains the Windows-centric character of this blog post. The principles would be similar for non-Windows platforms, but the particulars would vary.
After the panic
Instinctively, I jerked the patch cable out (a minor plus for wired connections). Then, as the malware's symptoms began to appear, I soon wished for access to the search engine I had just made inaccessible. Why? Because planning the mitigation tactic for the specific piece of malware, indeed properly identifying the specific attack, had probably already been done and posted in courteous detail -- somewhere.
The moments when malware is rifling through your process table are not conducive to lucid contemplation, but that's the precise moment you must don your First Responder hat. Taking the right steps early on in the infection can save hours of later remediation. These steps may be routine for full time malware warriors, but network security is only one duty among many for the typical SMB network administrator.
What advice is offered by security software providers? The security software vendors call a certain category of software "endpoint protection." Some even recognize the business opportunity: for instance, Foundstone's contact page is appropriately titled "911 Emergency." They also offer a complement of free tools. A Windows anti-malware toolkit might also include utilities such as Sysinternals' PsTools Suite, freely available from Microsoft Technet (though as author Mark Russinovich notes, these may trigger antivirus warnings because they are tools also employed by some viruses). Sysinternals Handle and Process Explorer can also be helpful.
It was several long minutes before I remembered that I could use my HTC Touch 2 browser to look up the infection and plan a counterattack. I found the specific malware and, after wasting more time on several unhelpful Web pages, found a well-documented and recognizable set of tactics involving the venerable duo of SuperAntiSpyware, and MalwareBytes along with a fresh installation of the corporate antivirus package.
On the way to the day's conference session after having successfully removed the malware, I reminded myself that it wouldn't have been as easy with a zero-day attack. If several workstations or a server or two had been attacked at work, a more systematic approach would be needed. A trained First Responder team, fully briefed on how to remove the infection, would be needed, along with a more complex risk analysis. I realized that the wireless phone network, separate from our enterprise, was an important asset. The key instructions and perhaps even key binaries could be broadcast, e.g., by SMS or mobile Skype.
A FEMA-style First Responder tabletop exercise may be in order once the conference is over.
Seven tips for desktop malware first responders#1Understand the risks
Obey the First Responder's Hippocratic Oath: Do no harm. In other words, don't make things worse. Assess whether the malware needs to be removed immediately, or a better approach is to shut down the machine and pursue remediation in a controlled environment. Consider what data is at risk of being compromised vs. the current need for the device.#2 Carry a Web-enabled smart phone
Pay for that data plan. Get reasonably proficient with a favorite mobile browser. Store bookmarks. Most phones support flash cards where additional remediation software can be stored.#3 Carry a big (16GB USB) stick
At a minimum, consider carrying a hefty USB drive containing favorite anti-malware utilities, if not a fully bootable OS with security tools on it, such as Slax.#4 Check for broader attack
Determine whether the attack is an ordinary bit of malware visiting your unlucky laptop, or a feint: a sequence of attacks designed to exploit the usual remediation steps rather than succeed with the initial infection.#5 Disaster recovery walkthrough
Even if you're fortunate enough to avoid a data loss on this occasion, it's still worth exploring the disaster recovery options that might be been taken. They may need updating.#6 Update bookmarks
The sobering experience may turn up some useful online security Web content. Update your phone's bookmarks.#7 AAR and documentation
In the military, it's called "After Action Review," or AAR. After the malware has been removed and damage corrected, assess which tools were needed and make them more convenient to access. Document what happened. Ensure that your CEO doesn't encounter the same nuisance just before she heads out to testify before a Congressional subcommittee.
Mark Underwood ("knowlengr") works for a small, agile R&D firm. He thinly spreads interests (network manageability, AI, BI, psychoacoustics, poetry, cognition, software quality, literary fiction, transparency) and activations (www.knowlengr.com) from a large island near NYC.