Incident Response

Cleaning Up Malware (Part 2: Manual Cleans)

 

So you have read Part 1 (Link) and you decided that you want to try manually cleaning up a machine.

The one undisputed FACT we have at this moment is that the malware isn’t too particularly nasty- else you wouldn’t have a months salary potentially about to hit the chopping block!

In other words- this is not the guide you are looking for when you want to manually clean malware that has system level access to your domain controllers.

 

If you got hit by a well-known piece of malware, particularly if it’s well a documented variant, you might find removal guides online and it’s simply a case then of going through the steps. (And if you get really lucky, AV vendors will often provide specific removal tools that do all the work for you!)

 

Failing this we are doing it the hard way!

 

Depending on the malware we are looking at, your infected machine(s) are likely in quarantine at this point (possibly even restricted from having Internet access).

 

Before doing any work on it you will want to take some baselines and get an idea of what’s going on with the machine.

 

We want to know what the running processes/services are. What the CPU/RAM is like. What connections/ports are open? Check DNS/default gateway settings, traceroute, hosts file etc etc

 

Don’t go overboard here. Keep it short and simple. We already know the machine is infected. This is a clean-up exercise not an afternoon of malware analysis.

 

True. We do have to analyse the malware to some extent. But just be careful not to lose sight of the fact that the end goal here (at this stage in the game) is to get this machine cleaned up and back to the user pronto. This is not the time or place to be busting out your immunity debugger.

 

There are a number of excellent tools that can be used for baselining + clean up. Personally, I quite like the Sysinternals suite. (Link)

 

We’ll start of by launching Process Explorer so you can take a look through the list of running processes and get a feel for what’s going on. We can hash all the running process hashes and check against VirusTotal. Make sure to verify all signatures, check integrity levels and set the command line option. Save results.

 

Next we’ll check Autoruns. The malware has to auto-start itself somehow… right?

I mean, people aren’t going to manually double click that evilvirus666.exe on their desktop every time they reboot their machine. As above, submit all to VirusTotal and verify signatures and save results etc

 

After autoruns we’ll take a quick look at the users browser. Pay particular attention to any add-ons/extensions that might be installed. (Given that this is usually the last check before starting the actual clean up process I would usually do a browser reset)

 

 

At this point you should have a fairly clear picture of what’s going on.

 

Side Note:       When you get a little better at this, with the information you have just pulled from SysInternals you can track down the malicious processes, determine where they are living, kill them, delete, reboot and repeat process until gone. (Or if its particularly tricky and you’re having a hard time killing it- determine how its autostarting, remove this ability, reboot, and then delete.)

There is one huge caveat to doing it this way though. You lose out on reports. Sure, I can screenshot the process and write out my own thoughts– but customers can be a fickle bunch. Stacks and stacks of reports archived away (never to be read) seems to be the order of the day.

 

So first step for me would be to kick off the most in-depth scan available with your endpoint protection of choice. Is your endpoint solution all encompassing? Or do you have separate solutions in place for adware / PUPs / browser hijackers / registry etc etc If so, now is the time to run through these scans and reboot.

 

When machine comes back online relaunch your Sysinternals and compare system now to the results you first exported. Is the malware gone? Yes? Great. Get machine back to the user and start working on future mitigation plan.

No, its not gone? Reboot into safe-mode and repeat process. Is malware gone? Yes? Get the machine back to user.

No? Ok. Now this is where it gets interesting. You could go down the road of running a secondary set of products (Malwarebytes or some such) and seeing if that will pick up what the others missed. Or as I mentioned above- with the Sysinternals suite you have everything you need right now to step up and outshine your AV solutions. Which at this stage is looking ever more likely.

If you don’t feel that your skilled enough just yet with Sysinternals (Watch this 1, Read this 2, Buy this 3) and in the mean time you could do worse than re-evaluate your stance on the rebuild option.

 

Leave a Reply

Your email address will not be published. Required fields are marked *