Security

Six stages of malware response: Streamline your approach

Dominic Vogel is a rookie security guy making his way in a corporate setting. Here, he offers his streamlined approach to malware response, and the important things you can learn from this routine support call.

I'd be lying if I claimed that being a rookie IT security guy was all glamour and non-stop thrill-seeking. While it may not be as exciting as lion taming (or chartered accountancy for that matter) it certainly does have its fair share of interesting moments. One of the more fascinating times for me involves responding to infected corporate computers. While many senior security pros may feel that cleaning infected computers is trivial, it actually provides an excellent opportunity for rookies to learn about corporate security posture, risk profiles, log analysis, and threat intelligence dossiers.

When responding to potential malware incidents, I suggest using the following items: pencil, notebook, USB stick (more on this later), CD (just in case the USB drives have been rendered inoperable by the malware), and some spare change. This may resemble MacGyver's personal toolkit for fighting malware, but every item serves a purpose.

Malware response can be broken into the following stages:

#1 Assess the threat severity. Try not to complicate things by thinking too critically at this early juncture. Focus on infection signs and removal/cleanup complexity by following a simple scale such as:
  • Low: obvious infection symptoms but relatively easy to cleanup (like most FakeAV)
  • Medium: obvious infection symptoms but may require extra effort and multiple programs to remove all virus/malware traces
  • High : no symptoms but is actively stealing data unbeknownst to the company (the most dangerous forms of malware have no visible symptoms; evasive threats such as these pose very serious challenges to IT security and by extension merit their own set of articles)
#2 Analyze logs from the company antivirus system and look for correlations. Did the computer in question have previous infections that went unresolved? Is this computer frequently infected? These questions can help determine the risk profile of the user. Perhaps additional security awareness training is needed? Analyzing logs from various corporate security systems such as email filters, web usage reports, and network intrusion detection systems can be useful in determining where the infection occurred, what was infected, what vulnerabilities were exploited, why did the security defences "fail," and what could be done to prevent it from occurring in the future (some of these answers may not be apparent until after steps three and four are completed). #3 Ask your colleague for further information: What website was he/she browsing, did they open an email attachment, what time did they notice the first infection symptoms (this need not degenerate into a full-blown interrogation). People tend to be more forthcoming with information when you don't outright accuse them from the get-go.

Record all the answers using the pencil and notepad. After extracting as much pertinent information as possible give the spare change (should be around 2 bucks) to your colleague and instruct them to grab something from the vending machine for themselves while you continue your investigation. Not only does this improve intra-business relations, it bides you extra time as they will be debating whether or not to get the Snickers bar or the can of Fanta.

#4 Clean the infected computer. Using your USB toolkit begin the cleanup and removal phase. My USB/CD response toolkit includes:
  • USB Dummy Protect Prevents any malware from being written to the USB stick thus preventing the virus from propagating further
  • Super Anti-Spyware The go-to product for malware/virus detection and removal; excellent at removing FakeAV
  • Malware Bytes AntiMalware Another favourite cleanup and removal tool
  • SysInternals Tools such as ProcMon and Rootkit Revealer are useful for isolating those pesky strains that cannot be removed easily
  • EXEFIX_XP For fixing damaged executable files and shortcuts; this tool is often used whenever FakeAV programs are involved
  • Sophos Rootkit Revealer If Super Anti-Spyware comes up empty, chances are a rootkit is keeping the malicious payload hidden; this free tool from Sophos is handy in removing all sorts of rootkits
  • aswMBR Rootkit scanner from Avast that scans for TDL4/3, MBRoot (Sinowal), Whistler, and other nasty rootkits
  • Kaspersky Rescue CD For times when the infection is impossible to remove using traditional malware removal utilities. Booting from the rescue CD prevents malware programs from gaining control of the OS and consequently can be removed.
#5 Record all findings such as virus/malware strains, vulnerabilities exploited, potential risk, and threat vector(s). Most malware removal tools will list or at least display the strain/type of each virus found. Additional information can be acquired by browsing through threat information databases such as Microsoft Malware Protection Center or McAfee Threat Intelligence. All the major antivirus players have similar threat research pages and make great references. Ensure to answer all questions posed from the analysis stage. #6 Adjust corporate security systems and policies to address any deficiencies or shortcomings that may have lead to the initial infection. This is a delicate balance to strike as we do not want to overreact to every reported virus infection. Employing basic risk management will stem any knee-jerk reactions. If you are a rookie on the team, you would only be able to provide such information to those that would make those decisions.

Dealing with an infected computer in a corporate setting should no longer be treated as a trivial task. As security rookies, when an infected computer passes onto your desk, it is your duty to not only clean and remove all traces of infection but to use the collected information as future threat intelligence to better protect company assets.

About

Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.

13 comments
AnsuGisalas
AnsuGisalas

First of all; why bother trying the easy fixes first? Why not immediately escalate to USB-delivered OS boot? Use a bootdisk with a different OS basis than the infected machine for an additional layer of protection. Then run the hardest, most effective scanner(s). If that doesn't give outstanding results; go straight to lifting off and disinfecting recent user data, then nuke and reimage the drive. No reason to try and save time with a move that can take 10 minutes and might achieve nothing, when you can do a move that takes 15 minutes and guarantees certainty.

Dastover07
Dastover07

I think if I gave my users some quarters and sent them off to the vending machine, they would feel like I was doing an investigation behind their back. Users almost always feel very defensive when they have an infection. I try to reassure them as often times it's not really their fault. Then we talk while I'm cleaning their machine where I can inject some good user security tips in natural conversation. Finally, I would recommend a tool call ComboFix as a last resort when all else fails. It does a very deep clean and from what I hear, it's a bit dangerous. I've only had to resort to it three times but it did the job each time I used it. Just be cautious and do a backup first!

rberning
rberning

In a win XP environment with over 250 PC's ... yes a large portion of enterprise is still hanging on to XP, in our case we have a lot of in house software that need to be brought forward. In most cases I found infections have been done by browsing a infected page. 90% of the infections were simple exe drops with a run line in the reg. If you kill the active process you gain a foothold to finish cleanup. I used Sysinternals. If you are familiar with processes use PSlist to remotely list processes and find the culprit and PS kill to kill it. Then use remote registry to kill the run line. Map a drive to the offending computer and run local AV against the documents and setting folder to kill the exe file. After awhile you just know where to look and its faster to manually delete I also use a batch file that cleans all temp spaces including IExplorer files on logon to kill any initial files that may have been propagated. In most cases I was done in about 5 minutes. I have routed out root kits and such, especially remote offices where imaging is out of the question, but I agree with Charles and simply collect personal data if any, most of our data was kept server side and reload a image and put it back on the domain done within 20 to 25 minutes with about 5 minutes of personal time involved. On rarer occasions I would have to run exe fix but that can be done through PSexec and the person can continue working while you finish up behind the scenes. Just tell them to stay off the browser in the mean time and don???t go back to the site it happened on.

TechRep87x
TechRep87x

The tools for removing malwares that you've mentioned are just what I need. Just started a new job and it requires me to take care of the PC's here at the company. A rookie too in computer security.

Charles Bundy
Charles Bundy

Because one should never spend too much time on a lost cause

Charles Bundy
Charles Bundy

Along with a clean, "bullet-proofed" laptop loaded with tools.

Charles Bundy
Charles Bundy

By killing the network port if in a managed environment or physically pulling the plug from the NIC.

aureolin
aureolin

There are viruses and Fake AV's that put your important files (i.e. My Documents and the desktop icons and settings) into the Temp files. Whacking these without being careful of what you're doing will just make things worse.

reviewsgirl
reviewsgirl

What you are suggesting is completely impossible. The other day in my IT job I had 26 computer that got infected with both the open cloud virus" and data recovery virus and it was because they were all in a shared network. When all these computer are integrated it can lead to total disaster. I has to go research and find the Best Antivirus and install in all those computer to make sure this would not happen again. Maybe what you suggest works for other people but I know it would not work in my network.

philhoff
philhoff

The first time I ran into the malware that moved my customers menus and icons to temp, I had already cleaned them out. Now, I always check the menus and desktops first. In addition, this same malware sets the hidden attribute on all personal files and some windows directories/files. Look before you leap!

AnsuGisalas
AnsuGisalas

I know normal policy is not to respond to spammers, but I don't want to see social engineering attacks succeed if I can help it, mkay?

AnsuGisalas
AnsuGisalas

It would have to be pretty lame malware if it was rendered harmless by a registry rollback. Can you afford to assume that'll do it?

rberning
rberning

"most of our data was kept server side" To clarify: Our My Docs are routed to a server, so no user or company data is in the local My Docs. As far as desktop icons and settings I have a standand and users are told to back personal items up to their my docs on the server if they want them restored. I also use a registry Backup tool on all our PC's that does a daily BU so recovery is as simple as restore reg to the day before infection. Of course in other cases if there is data locally, always do a backup or copy of it. For personal clients the first thing I do is back up any data on their HD...then clean and repair. That is simply good business.