The following post was written by Alfonso Barreiro for TechRepublic. With the rising number of malware infections in organizations, we thought the article was very informative and wanted to share it.
When malware is suspected don’t jump the gun on diagnosis and countermeasures. Follow these best practice guidelines to ensure an appropriate and measured response.
Perhaps the most common security incident in any organization is the discovery of malware on its systems. But just because it can be a common occurrence, it doesn’t mean it should be taken lightly or acted upon brashly. Let’s take a look at some of the steps you can take when dealing with a malware outbreak and some tools that can help you along the way.
Although it may seem straightforward, sometimes determining that a particular incident is due to malware could be tricky. The initial reports may come from different sources: a user could contact the help desk reporting trouble with their system; unusual traffic patterns could be detected in the firewall or internet access logs; or a specific system might not report back on the status of its antimalware software. Besides malware, each one of those cases could be explained by hardware failures or software misconfigurations, so each case should be investigated accordingly. Here are some checks and tools that can help in an investigation:
?Check the status of the installed anti-malware solution. If there is no protection installed or its definitions are out of date, even the most basic malware can enter the system. If, however, the anti-malware software is malfunctioning in other ways (resident services won’t start or its update process or scans fail constantly) you could be dealing with a more advanced piece of malware.
?Check for suspicious or unknown processes running in the system. For Windows systems, Sysinternals Process Explorer is a very powerful task manager that can show processes that try to mask themselves as ordinary system processes.
?To determine the source of suspicious network connections, the netstat utility and Sysinternals’ Process Monitor are an excellent combination to help track down malware that is attempting to “call home” or attempting to spread.
?Another tool from Sysinternals, the Rootkit Revealer, is very useful in detecting Rootkits or malware that uses advanced techniques in order to mask its presence on a system.
?If you find a suspicious file and wish to determine whether or not it might be malware, VirusTotal is the site for you. You can upload a file (or scan a URL) that will be checked against multiple anti-malware engines and the results from each engine will be presented along with any comments from its user community.
? Also, most anti-malware vendors provide ways to check suspicious files or submit malware samples or malicious files that are not detected by their products or their current definitions. You can also check their malware “encyclopedias” to help identify a particular piece of malware, its symptoms and evidence of its presence on a system.
Containment
Once the infection has been confirmed, the next step is its containment. Note that containment is not meant to be the definitive solution to an infection, but a temporary fix to prevent the spread of the malware and limit its impact. The containment strategy will depend on many factors, including the type of malware detected and the function or number of systems affected. Containment can be as simple as disconnecting the affected system from the network or more complex solutions such as removing an infected server from the network and activating the corresponding disaster recovery plans.
Eradication and preventing further infection
Once the affected system(s) are identified and contained, the next step is to eliminate the infection and restore the systems back to their normal state. The specific removal steps will depend on the malware identified: it could be as simple as reinstalling (or installing) an updated anti-malware solution and performing a scan or as complex as having to manually remove registry entries or protected files.
Some anti-malware vendors offer tools or versions of their products that don’t require installation and can be run from a CD or USB drive in order to prevent them from being affected by malware residing on the system. For example:
? McAfee provides the stand-alone Stinger Malware removal tool and Microsoft has the Malicious Software Removal Tool, for detecting and removing specific malware.
? Avira offers the “Avira Rescue System”, designed to be booted and run from a CD or USB drive.
Once the malware has been removed, steps must be taken to prevent reinfection. These steps could include fully patching the affected system (both the operating system and all third-party software), installing an up-to-date anti-malware solution, and removing or disabling software or services that are not needed.
Lessons learned
Once malware has been removed and the system(s) have been brought back to production, a post-incident analysis is needed in order to identify the causes of the infection and the defenses that need improvement to prevent similar incidents from occurring in the future.
Improvements could include technical solutions (such as implementing automated tools for keeping systems patched and anti-malware up to date or deploying tools such as EMET), increase user awareness (through mandatory training for instance) or the review of security policies and processes to ensure that they are up to date and remain relevant.
Fine tuning a holistic strategy for security management is an essential component to good technology management. This means identifying tools that enhance that goal on your network as well as deciding policies company-wide about what to allow employees to use and what security systems to implement. For our Launch Pad Business Care Clients, our bundled program includes proactive technology planning and management, a comprehensive disaster recovery and data protection solution and a managed and coordinated Antivirus, Anti-malware and Anti-Spyware system. A problem of any kind our any client’s desktop or server, immediately generates an alert to our help desk and is remediated before the threat escalates. This is the kind of wrapped protection you should seek to put in place on your network. If not, you may be in for some unwanted and costly disasters.
For more information on solutions for running your businesses’ technology more efficiently, visit our website or contact Megan Meisner at mmeisner@launchpadonline.com or 813 920 0788 x210.