[Pauldotcom] LAN Virus outbreak Procedures
pcimpressions at gmail.com
Thu Sep 2 21:20:52 UTC 2010
Thanks that is awesome advice I am starting thereand running ossim and
trying to analyze ya I could use 2 more people for sure but thanks everyone
again the advice given is invaluable keep any ideas coming I will be trying
a lot of things and hopefully can post what works and my experience to help
On Sep 2, 2010 3:08 PM, "Chris Keladis" <ckeladis at gmail.com> wrote:
> On Fri, Sep 3, 2010 at 5:24 AM, Tyler Robinson <pcimpressions at gmail.com>
> Hey Tyler,
>> Thanks everyone for all the ideas the enviroment has about 350 machines
>> least all on flat domain can't vlan due to stupid software
>> have several systems that have to be live all the time (911 systems) and
>> vmware esx servers in cluster. Any other suggestions is again so much
>> appreciated I am willing to try just about anything right now I have a
>> of angry users right now due to network performace ( for there
>> am sure) wanting this fixed and the sheriffs department has its busiest
>> of the year starting sat so please no idea will not be tried.
> Ouch! Sounds like you need more hands and eyes on the problem :)
> The only thing i can think of, bar running around to 350 PCs is maybe
> sample a few to understand what malware you've got going on.
> Make use of Microsoft's (ex-Sysinternals) tools to investigate.
> AutoRuns, ProcExp, etc etc.
> One handy tip when using ProcExp, dont "kill" malicious processes,
> rather, "pause" or "freeze" them. Most malware these days have SIGKILL
> handlers to spawn their cousins when their killed and you end up with
> more problems.
> Once you understand what you've got going on you can perhaps download
> a removal tool and make everyone run it.
> Also keep in mind sensitive information may have been leaked by the
> malware, so once you have a handle on the situation, change ALL
> passwords, and follow up on anything important that might have leaked
> out of the organization (this may have ramifications down the track).
> Most malware infections these days aren't one-off's (they use
> droppers, stagers, load root-kits and other add-ons) so you can try to
> control the primary infection on the LAN, but at some point manual
> review will be needed as well, eg, booting off a USB key/CD and
> checking for rootkits etc etc..
> Also tell people to stop using any form of removable media to avoid
> the (re)spread in or out of the organization, until you get a handle
> on the situation.
> Maybe you can script something and use Sysinternals tools like
> "pslist" to copy a process list to a share you can then analyze
> further? Maybe setup a job via the RunOnce reg-key or Scheduler and
> ask everyone to reboot (RunOnce) or wait (Scheduler), so you at least
> get a peak into the processes running and can make a plan of attack.
> Hope i've given you some practical advice, unfortunately since the
> previous admin hadnt set up controls to mitigate you face a very
> difficult task.
> But, this disaster may give you the ammunition you need to make
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pauldotcom