Six stages of malware response: Streamline your approach

I'd be lying if I claimed that being a rookie IT security guy was all glamour and non-stop thrill-seeking. While it may not be as exciting as lion taming (or chartered accountancy for that matter) it certainly does have its fair share of interesting moments. One of the more fascinating times for me involves responding to infected corporate computers. While many senior security pros may feel that cleaning infected computers is trivial, it actually provides an excellent opportunity for rookies to learn about corporate security posture, risk profiles, log analysis, and threat intelligence dossiers.

When responding to potential malware incidents, I suggest using the following items: pencil, notebook, USB stick (more on this later), CD (just in case the USB drives have been rendered inoperable by the malware), and some spare change. This may resemble MacGyver's personal toolkit for fighting malware, but every item serves a purpose.

Malware response can be broken into the following stages:

#1 Assess the threat severity. Try not to complicate things by thinking too critically at this early juncture. Focus on infection signs and removal/cleanup complexity by following a simple scale such as:

• Low: obvious infection symptoms but relatively easy to cleanup (like most FakeAV)
• Medium: obvious infection symptoms but may require extra effort and multiple programs to remove all virus/malware traces
• High : no symptoms but is actively stealing data unbeknownst to the company (the most dangerous forms of malware have no visible symptoms; evasive threats such as these pose very serious challenges to IT security and by extension merit their own set of articles)

#2 Analyze logs from the company antivirus system and look for correlations. Did the computer in question have previous infections that went unresolved? Is this computer frequently infected? These questions can help determine the risk profile of the user. Perhaps additional security awareness training is needed? Analyzing logs from various corporate security systems such as email filters, web usage reports, and network intrusion detection systems can be useful in determining where the infection occurred, what was infected, what vulnerabilities were exploited, why did the security defences "fail," and what could be done to prevent it from occurring in the future (some of these answers may not be apparent until after steps three and four are completed). #3 Ask your colleague for further information: What website was he/she browsing, did they open an email attachment, what time did they notice the first infection symptoms (this need not degenerate into a full-blown interrogation). People tend to be more forthcoming with information when you don't outright accuse them from the get-go.

Record all the answers using the pencil and notepad. After extracting as much pertinent information as possible give the spare change (should be around 2 bucks) to your colleague and instruct them to grab something from the vending machine for themselves while you continue your investigation. Not only does this improve intra-business relations, it bides you extra time as they will be debating whether or not to get the Snickers bar or the can of Fanta.

#4 Clean the infected computer. Using your USB toolkit begin the cleanup and removal phase. My USB/CD response toolkit includes:

• USB Dummy Protect Prevents any malware from being written to the USB stick thus preventing the virus from propagating further
• Super Anti-Spyware The go-to product for malware/virus detection and removal; excellent at removing FakeAV
• Malware Bytes AntiMalware Another favourite cleanup and removal tool
• SysInternals Tools such as ProcMon and Rootkit Revealer are useful for isolating those pesky strains that cannot be removed easily
• EXEFIX_XP For fixing damaged executable files and shortcuts; this tool is often used whenever FakeAV programs are involved
• Sophos Rootkit Revealer If Super Anti-Spyware comes up empty, chances are a rootkit is keeping the malicious payload hidden; this free tool from Sophos is handy in removing all sorts of rootkits
• aswMBR Rootkit scanner from Avast that scans for TDL4/3, MBRoot (Sinowal), Whistler, and other nasty rootkits
• Kaspersky Rescue CD For times when the infection is impossible to remove using traditional malware removal utilities. Booting from the rescue CD prevents malware programs from gaining control of the OS and consequently can be removed.

#5 Record all findings such as virus/malware strains, vulnerabilities exploited, potential risk, and threat vector(s). Most malware removal tools will list or at least display the strain/type of each virus found. Additional information can be acquired by browsing through threat information databases such as Microsoft Malware Protection Center or McAfee Threat Intelligence. All the major antivirus players have similar threat research pages and make great references. Ensure to answer all questions posed from the analysis stage. #6 Adjust corporate security systems and policies to address any deficiencies or shortcomings that may have lead to the initial infection. This is a delicate balance to strike as we do not want to overreact to every reported virus infection. Employing basic risk management will stem any knee-jerk reactions. If you are a rookie on the team, you would only be able to provide such information to those that would make those decisions.

Dealing with an infected computer in a corporate setting should no longer be treated as a trivial task. As security rookies, when an infected computer passes onto your desk, it is your duty to not only clean and remove all traces of infection but to use the collected information as future threat intelligence to better protect company assets.