Thursday, May 11, 2017

Am I Infected? Malware, Virus, Worm | Incident Response


Virus, Worm | Incident Response         


  • Malware: Software written for malicious purpose - destroy data, steal money, annoy users
  • Virus: Malware which requires human intervention to spread - require user to click on the exe, open a document or visit a website
  • Worm: Malware which can spread automatically - automatically infect other systems in the network - spreads through plug & play devices

Symptoms

  • Unusual Behaviour in Applications
  • System Slowdown/Randomly Restarts / new software icons/Folder-files Created
  • Adware popups / Virus Alerts
  • Password Changes/Reset Email Accounts / for your Bank or Online Accounts
  • Surprise Financial Transactions on your bank Accounts J

TO Do


Detection and Removal
1.       Isolate the system from the rest of the network
2.       Remove temporary files
3.       Look for suspicious file, process, network and registry values
4.       Identify the file generating the suspicious activity
5.       Isolate the suspicious file
6.       verify if the file is malicious
7.       Identify the persistence mechanism
8.       Break its persistence mechanism
9.       Delete the malicious files from the system
10.   monitor for suspicious activities (repeat step 3 to step 9)

Steps to Follow (Contact IT security for below mentioned Software and Advanced Mode)


  • Full Anti-Virus Scan Symantec Endpoint Security 14 .x (manual) - detect known malwares if any
  • Scan with Malwarebytes (free version will work)
  • Rootkit Scan - GMER, SpyDLLRemover (helps in removal of malware DLLs)
  • Scan the Infected or Suspicious file with VirusTotal- Get the name of virus/malware family
         - Use Virus Total Scanner Tool for quick scan
  • Check with AV sites with the detected variant name (McAfee, Symantec for the detected Malware) - to understand infection details or for any removal steps
  • BHO Scan (System Slowdown)  -  Run SpyBHORemover and disable unusable BHOs
  • Delete Locked/Hidden/Protected Malware Files- Use GMER to delete Hidden Files/Registry Keys -  Boot with Backtrack, mount your drives and delete the files/registry keys (Advanced)
§  Change Passwords of important accounts - Corporate Email Accounts | Computer Login Facebook, Google, Twitter, PayPal etc.

Tools:
§  Malwarebytes
§  Rootkit Scan using GMER
§  Remove Malware DLLs using SpyDLLRemover
§  Virus Total Scanner Tool
§  Remove BHOs using SpyBHORemover

Verify Threat Report with Symantec/Checkpoint/MacAfee Websites to check the criticality

In case of full system or widespread infections,

 
  •  System Restore to ‘Right Restore Point’- look at the dates of infected files and it should give you right date to restore from
  • Format and Re-install OS
                - clean-up other drives if necessary

  • Scan other systems/devices in the Network
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)