Containment is always the first step in the game, then it is the investigation, followed by clean-up and education of the end-user. I have a USB drive that I build each time with the below software on it.
1. Isolate computer(s) and device(s) from the LAN – Unplug everything connected to the LAN
2. Shutdown computer(s) to take off-site
3. Once off-site, Boot into Safe Mode (Not connected to a LAN)
4. I manually review the host file and permissions on the host file, ensuring nothing has been tampered with.C:\windows\System32\drivers\etc\hosts
5. From my flash drive, I Install and run
Rkill – RKill is a program that was developed at
BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then removes incorrect executable associations and fix policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.
I usually use the iExplorer.exe version as it tends to escape being detected by malware if there is a process running trying to protect itself. Once it has done it’s magic.
6. I will install
MalwareBytes Offline Scanner – Malwarebytes Anti-Malware (MBAM) – Malwarebytes is a lightweight anti-malware program that is excellent at removing the latest detections. MBAM is also able to be used alongside any other security programs that you may have installed, which allows it to remove malware that was able to sneak through your normal anti-virus solution.
7. Update the MalwareBytes signature update
9. If the computer is stable and is restarting as expected, then you will want to turn off Restore points and delete all the previous restore points that took place after when the malware was downloaded.
10. Install and run
AdwCleaner a free program that searches for and deletes Adware, Toolbars, Potentially Unwanted Programs (PUP), and browser Hijackers from your computer. By using AdwCleaner you can easily remove many of these types of programs for a better user experience on your computer and while browsing the web
11. HijackThis –
HijackThis is a program that can be used to quickly spot homepage hijackers and startup programs that you do not want to start automatically. This program is not an anti-virus program, but rather an enumerator that lists programs that are starting up automatically on your computer as well as other configuration information that is commonly hijacked.
12. I then run through manually to make sure that there are no programs that will autorun on reboot. First is to CTRL+ALT+DEL > Task Manager, Startup Tab. Run through here and verify each app should be running at startup. If unknown then let Google be your friend. Then I launch msconfig > services tab and run through services. Finally, I look at the registry in the following keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Once I’m comfortable with the computer(s) being safe enough to return to the online world
13. Connect computer(s) to an isolated segment of my network
Once I’m convinced that everything is clean, I will reboot a few more times and run a dozen or so random apps.
I’m usually done at this point but really depends on what is going on and what kind of attack it was.
If it was a Rootkit or Ransomware, then there are different things that I would do.
I usually will uninstall the installed AV that the client was using, and either reinstall it as a clean version or upgrade them to one that works.
Keep in mind that non of this is a hard and fast rule, much of this is very fluid, but this is the basic outline for my plan of attack.
The entire part of the investigation is to figure out where the malware came from. That usually includes looking to see what apps were recently installed, reviewing browser history, and looking through log and audit files. This part can become really tricky and can take a lengthy time if you do not know what you are doing.