Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: LAN Virus outbreak Procedures
From: Chris Keladis <ckeladis () gmail com>
Date: Fri, 3 Sep 2010 06:45:08 +1000

On Fri, Sep 3, 2010 at 5:24 AM, Tyler Robinson <pcimpressions () gmail com> wrote:

Hey Tyler,

Thanks everyone for all the ideas the enviroment has about 350 machines at
least all on flat domain can't vlan due to stupid software configurations. I
have several systems that have to be live all the time (911 systems) and
vmware esx servers in cluster. Any other suggestions is again so much
appreciated I am willing to try just about anything right now I have a lot
of angry users right now due to network performace ( for there facebooking I
am sure) wanting this fixed and the sheriffs department has its busiest week
of the year starting sat so please no idea will not be tried.

Ouch! Sounds like you need more hands and eyes on the problem :)

The only thing i can think of, bar running around to 350 PCs is maybe
sample a few to understand what malware you've got going on.

Make use of Microsoft's (ex-Sysinternals) tools to investigate.
AutoRuns, ProcExp, etc etc.

One handy tip when using ProcExp, dont "kill" malicious processes,
rather, "pause" or "freeze" them. Most malware these days have SIGKILL
handlers to spawn their cousins when their killed and you end up with
more problems.

Once you understand what you've got going on you can perhaps download
a removal tool and make everyone run it.

Also keep in mind sensitive information may have been leaked by the
malware, so once you have a handle on the situation, change ALL
passwords, and follow up on anything important that might have leaked
out of the organization (this may have ramifications down the track).

Most malware infections these days aren't one-off's (they use
droppers, stagers, load root-kits and other add-ons) so you can try to
control the primary infection on the LAN, but at some point manual
review will be needed as well, eg, booting off a USB key/CD and
checking for rootkits etc etc..

Also tell people to stop using any form of removable media to avoid
the (re)spread in or out of the organization, until you get a handle
on the situation.

Maybe you can script something and use Sysinternals tools like
"pslist" to copy a process list to a share you can then analyze
further? Maybe setup a job via the RunOnce reg-key or Scheduler and
ask everyone to reboot (RunOnce) or wait (Scheduler), so you at least
get a peak into the processes running and can make a plan of attack.

Hope i've given you some practical advice, unfortunately since the
previous admin hadnt set up controls to mitigate you face a very
difficult task.

But, this disaster may give you the ammunition you need to make improvements! :)


Cheers,

Chris.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault