Dominic Vogel is a rookie security guy making his way in a corporate setting. Here, he offers his streamlined approach to malware response, and the important things you can learn from this routine support call.
I'd be lying if I claimed that being a rookie IT security guy was all glamour and non-stop thrill-seeking. While it may not be as exciting as lion taming (or chartered accountancy for that matter) it certainly does have its fair share of interesting moments. One of the more fascinating times for me involves responding to infected corporate computers. While many senior security pros may feel that cleaning infected computers is trivial, it actually provides an excellent opportunity for rookies to learn about corporate security posture, risk profiles, log analysis, and threat intelligence dossiers.
When responding to potential malware incidents, I suggest using the following items: pencil, notebook, USB stick (more on this later), CD (just in case the USB drives have been rendered inoperable by the malware), and some spare change. This may resemble MacGyver's personal toolkit for fighting malware, but every item serves a purpose.
Malware response can be broken into the following stages:#1 Assess the threat severity. Try not to complicate things by thinking too critically at this early juncture. Focus on infection signs and removal/cleanup complexity by following a simple scale such as:
- Low: obvious infection symptoms but relatively easy to cleanup (like most FakeAV)
- Medium: obvious infection symptoms but may require extra effort and multiple programs to remove all virus/malware traces
- High : no symptoms but is actively stealing data unbeknownst to the company (the most dangerous forms of malware have no visible symptoms; evasive threats such as these pose very serious challenges to IT security and by extension merit their own set of articles)
Record all the answers using the pencil and notepad. After extracting as much pertinent information as possible give the spare change (should be around 2 bucks) to your colleague and instruct them to grab something from the vending machine for themselves while you continue your investigation. Not only does this improve intra-business relations, it bides you extra time as they will be debating whether or not to get the Snickers bar or the can of Fanta.#4 Clean the infected computer. Using your USB toolkit begin the cleanup and removal phase. My USB/CD response toolkit includes:
- USB Dummy Protect Prevents any malware from being written to the USB stick thus preventing the virus from propagating further
- Super Anti-Spyware The go-to product for malware/virus detection and removal; excellent at removing FakeAV
- Malware Bytes AntiMalware Another favourite cleanup and removal tool
- SysInternals Tools such as ProcMon and Rootkit Revealer are useful for isolating those pesky strains that cannot be removed easily
- EXEFIX_XP For fixing damaged executable files and shortcuts; this tool is often used whenever FakeAV programs are involved
- Sophos Rootkit Revealer If Super Anti-Spyware comes up empty, chances are a rootkit is keeping the malicious payload hidden; this free tool from Sophos is handy in removing all sorts of rootkits
- aswMBR Rootkit scanner from Avast that scans for TDL4/3, MBRoot (Sinowal), Whistler, and other nasty rootkits
- Kaspersky Rescue CD For times when the infection is impossible to remove using traditional malware removal utilities. Booting from the rescue CD prevents malware programs from gaining control of the OS and consequently can be removed.
Dealing with an infected computer in a corporate setting should no longer be treated as a trivial task. As security rookies, when an infected computer passes onto your desk, it is your duty to not only clean and remove all traces of infection but to use the collected information as future threat intelligence to better protect company assets.