0

Edit: Let's assume Windows 7 and potentially Windows Server 2003/2008.

IMHO, any machine that has malware should be reimaged/reformatted/OS reinstalled before it is deployed back into the environment. However, this isn't always practical. If the malware-type can be identified and potentially removed, sometimes the business dictates that a machine is remediated. So, my question assumes that management insists that a machine is remediated and has accepted the risk of doing so. Also, assume that all root cause analysis on the infection has already been completed. I would like to build a checklist of things to look at with the goal of reversing any changes malware has made to a system.

Edit: Due to the broad nature of this, perhaps those that are familiar with malware analysis can comment on the most common things they see malware change on a system that are related to maintaining persistence even if the malware is disabled/removed. (e.g., create an account or other backdoor that allows remote access to a system). Obviously, there are entire books and courses on this subject. This is not meant to be comprehensive. Rather, it is a checklist of common things to check/fix for a situation where reinstalling the OS is not an option and it is believed the malware has already been removed.

Here are a few examples:

*review all autostart locations and verify persistence mechanisms are removed
*multiple virus/malware scans of the drive slaved to another system (using multiple tools)
*all local/network account passwords changed
*local accounts/groups reviewed for issues (e.g., new accounts)
*etc/hosts file reviewed
*sfc /scannow
*review firewall configuration
*review MBR
*review and file/folders created/modified at the time of compromise.
*review $MFT for timestomping (assumes NTFS)

While I agree a reimage is much simpler and a better solution, I thought it would be a good idea to develop a best practice for attempting to verify a machine has been remediated. Many of these steps also fall in the category of malware detection as well.

I reviewed the following related posts:

Malware - are removal tools acceptable or is bare metal re-install the only safe option?

Recovering from malware in the registry

Is making a clean install enough to remove potential malware?

How do I deal with a compromised server?

Thanks.

Community
  • 1
Matt
  • 173
  • 1
  • 6
  • 1
    This question might be a little broad, and would require multiple people submitting their contributions to a master list. This forum is not a good fit for that form of question. Also, do you intend to limit the list to just Windows machines? – schroeder May 24 '15 at 17:00
  • You might also want to include in the list other forensic analysis outside of the machine (e.g. network activity) and account compromise forensics. – schroeder May 24 '15 at 17:02
  • I'm going to add an edit and rephrase the question a bit. Also, while there is certainly overlap with forensic analysis/detection, I want to focus on things malware changes that may need to be fixed. Thanks! – Matt May 24 '15 at 17:39
  • Your list is pure forensics, btw. In addition, malware can change accounts, and monitoring network activity can provide insights into things your initial analysis might have missed. If you want to limit your scope simple to OS changes, that's fine, but you might want to specific that limitation to the scope. – schroeder May 24 '15 at 17:45
  • Point taken. Network analysis is certainly valuable. For this situation, I'm assuming this type of analysis has already been done and there is high confidence that the malware has been removed. Even if the malware is removed, there may be changes to the system that should be fixed. Looking at accounts, scanning system files for integrity, or virus/malware scans are not necessarily forensics...although it certainly depends how they are performed. – Matt May 24 '15 at 17:54
  • Following such checklists would take way more time than a reinstall, and thus cost more money. That and the risk caused by that compromised machine makes reinstalling the machine more profitable. –  May 25 '15 at 15:47
  • 1
    I'm with you 100%. Yet, the business doesn't always agree. We do our best to educate them, but we are sometimes asked to "fix" a machine despite our protests. – Matt May 25 '15 at 15:54
  • "Even if the malware is removed, there may be changes to the system that should be fixed." Have you let the malware run in a test lab, and then diff'd the filesystems pre- and post- malware to see exactly what has been modified? – Mike Ounsworth May 25 '15 at 22:12
  • possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Stephane May 26 '15 at 06:59

1 Answers1

1

New services, programmed tasks, shell extensions, DLLs, program modules… The list of autostart ways in Windows is huge, see sysinternals autorun for those available just in the OS.

Plus the secret rootkit that you had no idea it had been installed.

I would only consider cleaning a production machine instead of reimaging if working with a lack of equipment or if I knew inside out that specific malware.

It's like an US Governor discovering that soviet secret agents installed on his car spy microphones and several remote-controlled explosives (ie. a complete compromise). Yet, when being offered a completely new car for free, he decides to clean the old one and accept the risk.

So I would dig into why

management insists that a machine is remediated and has accepted the risk of doing so

  • Maybe they are afraid of losing data? (make an image of the old computer)

  • They think the reinstalling process is too slow? (perhaps you can have in advance disk images with all the needed software installed, or even a spare hard disk / PC ready to replace an infected one)

  • Would the user need to spend a lot of time reconfiguring the system / programs? (include the configuration into the backups)

A common misconception when considering disinfections is not to take technician time into account. Desinfecting a machine is quite costly. Do they think the antivirus solution will immediatly disinfect it with a button press? Most probably it won't even detect the threat! Expect to perform full disk scans with several vendors, manually investigate what kind of malware infected it, clueless search the web for remedies…

In comparison, reimaging the PC is reproducible and testable, can be performed even by the lowest-rank (trusted) technician and even completely automatable. It's a well-defined procedure whose efficiency can be measured and improved. Whereas you never know which malware will hit you next, nor which remedy steps shall be done for the next variant (and what is worst: you can't even determine if a solution completely worked).

And you still need a quick reinstalling procedure, since not all malware is so nice to allow being desinfected / recovered from (eg. a malware that shreds the hard disk). I don't think the business requirements will be different depending on the malware that infected you. So you need backups and emergency reinstalling procedures (which typically would also be your last resort for remediation) that work, anyway (with the benefit of being reusable). Skipping the costly and less reliable solution would be the logic thing to do.

Ángel
  • 17,578
  • 3
  • 25
  • 60