So the day went past with nary a trace of an outbreak. Good, no need to work long hours this round. Bad, no free pizza. Nonetheless, I came prepared. To wage battle. My weapon of choice? The usual arsenal -- my scripts, Sysinternals' tools, and a few resource kit tools comprising my rootkit toolkit.
The scenario played out here does not, in any way, mirror an actual incident. This is just a simulation and the actual malware may behave differently than what is described here.
First, I would look into the autostarting programs using Sysinternals autoruns. Notice the presence of N2.exe and winbaseInst.exe from the image shown:
This confirms that the computer is infected. Next, I fire up pslist to view a list of running processes (alternatively, I could use Process Monitor (procmon) in lieu of pslist).
Here's a script which was done in a matter of minutes (scripting cosmetics will be applied later, time permitting). The main body of the script calls three procedures StopProcess(), CleanRegistry(), and DeletePayload(). The malware processes have to be stopped before the payloads and malware executables can be deleted.
The StopProcess() procedure will terminate the process passed as parameter. An array (arrstrproc) contains a list of the malware processes to be terminated.
The CleanRegistry() procedure will, in turn, remove the autostarting entries from the RUN key in the registry. Note that the parameter passed is trimmed of its file extension (".exe") before it is checked. If the string is found in the RUN key, the entry is deleted.
The DeletePayload() procedure will then delete all the malware payload and executables. Malicious DLLs, executables or batch files which are stored in the arrpayload array are passed as parameters to the procedure and are deleted.
A reboot is required; the script doesn't take care of this part. Leave something for the support guys like me to do.
No comments:
Post a Comment