Five methods to respond to malware
A few years ago, in a project, due to targeted malware attacks, I studied more than 10,000 computers involved in botnets. The main problems with these computers are the extremely weak security measures, such as the absence of vulnerability tests and the excessive dependence on traditional anti-virus software. Communication between the security team, the desktop support team, IT administrators, and other stakeholders is also interrupted. This is very fatal.
Bots and their command control (C & C) servers are classified as advanced malware. As we learn more about the complexity of these advanced malware and the complexity and extensiveness of the problem, it is clear that botnet cleanup is not a simple task. Unfortunately, Administrators cannot simply disable the system and reinstall the image to avoid this problem.
As I have met, botnet infection may be one of the most annoying things that an IT professional has dealt with, but IT does not have a huge impact on your existing work.
The following are five key steps to cope with these malware infections and remove bots as it administrators.
1. docized
If you want to effectively manage IT risks, you need a complete Event Response Process. The absence of action plans can be said to be the biggest obstacle to effective and secure response. Immediately begin to develop active preventive measures to minimize the potential impact of malware attacks. If you want your organization to be able to handle botnet hijacking, you can access different terminals and networks, data management and unknown users have well-defined plans.
2. Diagnosis
As the saying goes, half of the credit for treating diseases lies in diagnosis. So where is the infection point? This is a value of $64,000 for malware.
Using encryption and Fast DNS change is called "Fast Flux Service Network ", many typical botnets and C & C code use this method to move between them under the traditional security control radar. This is why it is difficult to detect botnets without proper tools. However, if you can find the host initiated by malware, you must step up the investigation and try to control the scope. Tip: Windows clients are more likely to be infected, but may also be your Windows server.
Using Microsoft's Sysinternals tool is a good start. Note that any password entered on a suspected machine and other systems accessed from this machine. For network analysis tools such as Wireshark, OmniPeek can also provide additional views to view what happened on the network layer. this higher level view will benefit administrators.
In addition, you may eventually need to obtain more advanced technologies from vendors such as Damballa and FireEye to effectively track malware infections and remove bots.
3. Restrictions
If you are familiar with malware infections, you can use emergency network access control lists or firewall rules to prevent malware from inbound or outbound network traffic until they are cleared.
You can also use the whitelist method and add local or group policies as basic tools to combat malware infections, bit9's "active security control policy" can also be used as an advanced tool for confrontation.
4. Clear
However, running a simple anti-virus scan cannot remove bots. You cannot even detect abnormal behaviors of malware. Even if it can be detected, malicious code is often intertwined with the operating system/Registry, so that the mainstream anti-virus software does not know how to handle it.
One of the best actions you can do is to run multiple anti-malware tools, especially tools like Webroot and Malwarebytes that have a relatively good understanding of more advanced threats. You may have no choice but to reinstall the operating system.
In addition, reinstall the Operating System
Pay attention to the risk of data loss. I have processed almost no internal security assessment, nor have I found a backup copy of sensitive information on the workstation.
5. patch updates
The biggest enemy of malware infection is that users do not regularly update Java, Adobe, and related third-party software. Windows XP is about to retire.
The problem is that updating the enterprise system can eliminate threats, at least prevent the spread of malware. So now you need to consider the Patch Management Problems of third-party software, so that you can guard against problems in the real world.
When none of this works, you can only seek help from experts. Botnets are hard to cope. Because I found that in my project, and from the information I learned about other events, botnets are very similar to cancer lesions in my body. Even if there is still some zombie information left in the network, it is likely to suffer a second wave of infection. Emergency measures and regular handling of terminals with suspected characteristics by professionals will put the entire organization under IT security protection.
Removing malware from a terminal is one of the ways to minimize risks. Threat intelligence (know what to look for and have enough information to support decision-making) is critical. This goes back to a basic management principle: understanding your network. Although it sounds boring, when you really know what is "normal", you will make a correct judgment on abnormal activities.
If you do not have a tool or process to obtain relevant information, start from today. To gain control of the terminal, you must have a good network analysis tool and event monitoring tool to confront the botnet. Just like my favorite sentence: "know yourself and know yourself, never fight ".
Malware problems do not show any signs of improvement over time. Therefore, desktop and network administrators now need to improve their skills to become threat analysts, data scientists, and event responders. Even if these fields do not affect their work, they will certainly come in handy one day.