PaulDotCom mailing list archives
Re: LAN Virus outbreak Procedures
From: Chris Keladis <ckeladis () gmail com>
Date: Fri, 3 Sep 2010 06:45:08 +1000
On Fri, Sep 3, 2010 at 5:24 AM, Tyler Robinson <pcimpressions () gmail com> wrote: Hey Tyler,
Thanks everyone for all the ideas the enviroment has about 350 machines at least all on flat domain can't vlan due to stupid software configurations. I have several systems that have to be live all the time (911 systems) and vmware esx servers in cluster. Any other suggestions is again so much appreciated I am willing to try just about anything right now I have a lot of angry users right now due to network performace ( for there facebooking I am sure) wanting this fixed and the sheriffs department has its busiest week of the year starting sat so please no idea will not be tried.
Ouch! Sounds like you need more hands and eyes on the problem :) The only thing i can think of, bar running around to 350 PCs is maybe sample a few to understand what malware you've got going on. Make use of Microsoft's (ex-Sysinternals) tools to investigate. AutoRuns, ProcExp, etc etc. One handy tip when using ProcExp, dont "kill" malicious processes, rather, "pause" or "freeze" them. Most malware these days have SIGKILL handlers to spawn their cousins when their killed and you end up with more problems. Once you understand what you've got going on you can perhaps download a removal tool and make everyone run it. Also keep in mind sensitive information may have been leaked by the malware, so once you have a handle on the situation, change ALL passwords, and follow up on anything important that might have leaked out of the organization (this may have ramifications down the track). Most malware infections these days aren't one-off's (they use droppers, stagers, load root-kits and other add-ons) so you can try to control the primary infection on the LAN, but at some point manual review will be needed as well, eg, booting off a USB key/CD and checking for rootkits etc etc.. Also tell people to stop using any form of removable media to avoid the (re)spread in or out of the organization, until you get a handle on the situation. Maybe you can script something and use Sysinternals tools like "pslist" to copy a process list to a share you can then analyze further? Maybe setup a job via the RunOnce reg-key or Scheduler and ask everyone to reboot (RunOnce) or wait (Scheduler), so you at least get a peak into the processes running and can make a plan of attack. Hope i've given you some practical advice, unfortunately since the previous admin hadnt set up controls to mitigate you face a very difficult task. But, this disaster may give you the ammunition you need to make improvements! :) Cheers, Chris. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- LAN Virus outbreak Procedures Tyler Robinson (Sep 02)
- Re: LAN Virus outbreak Procedures Butturini, Russell (Sep 02)
- Message not available
- Message not available
- Re: LAN Virus outbreak Procedures Pat (Sep 02)
- Message not available
- Re: LAN Virus outbreak Procedures Craig Freyman (Sep 02)
- Re: LAN Virus outbreak Procedures Arch Angel (Sep 02)
- Re: LAN Virus outbreak Procedures Tyler Robinson (Sep 02)
- Re: LAN Virus outbreak Procedures Chris Keladis (Sep 02)
- Re: LAN Virus outbreak Procedures Tyler Robinson (Sep 02)
- Re: LAN Virus outbreak Procedures Chris Keladis (Sep 02)
- Re: LAN Virus outbreak Procedures Chris Keladis (Sep 02)
- Re: LAN Virus outbreak Procedures Craig Freyman (Sep 03)
- Re: LAN Virus outbreak Procedures Tyler Robinson (Sep 02)
- Re: LAN Virus outbreak Procedures d4ncingd4n (Sep 02)
- Re: LAN Virus outbreak Procedures Tyler Robinson (Sep 02)
- Re: LAN Virus outbreak Procedures Bill Swearingen (Sep 02)
- Re: LAN Virus outbreak Procedures Tyler Robinson (Sep 02)