Re: LAN Virus outbreak Procedures

[Chris Keladis <ckeladis () gmail com>]

No worries.

I nearly forgot, you dont even need to install SysInternals "pslist"
to copy a process-list to a share. Windows (from XP on i think) gives
you the tool already (see "tasklist" command).

Something like "tasklist > X:\my\network\share\user1_machine10.txt"

Also do variations like "tasklist /svc" to see services and their dependencies.

You can use the "wmic" tool locally or even remotely to pull info out
of machines (assuming the malware hasn't impacted WMI operating or
subverted it's results).

Get a list of popular auto-run locations..

wmic startup list brief

Or a more detailed list..

wmic startup list full

Put it in a nice HTML on a share..

wmic /output:Z:\share\user1_machine10_autoruns.htm startup list full
/format:hform.xsl

Need the machines BIOS info? Easy..

wmic bios get /format:list

Drives inside the machine?

wmic diskdrive list brief /format:list

Need to find TMPFILE locations malware likes to hide in?

wmic diskdrive list brief /format:list

And so on.. "wmic" will auto-install (no CD or CABs required) if never
used before, and you can remotely query machines on your LAN to gather
info via WMI to perform triage, assuming their XP or newer.

WMI can be installed as an add-on for prior releases.

All with no additional software installed. In your case however, keep
in mind the malware may have broken WMI and will likely require manual
clean-up.


Cheers,

Chris.


On Fri, Sep 3, 2010 at 7:20 AM, Tyler Robinson <pcimpressions () gmail com> wrote:
> Thanks that is awesome advice I am starting thereand running ossim and
> trying to analyze ya I could use 2 more people for sure but thanks everyone
> again the advice given is invaluable keep any ideas coming I will be trying
> a lot of things and hopefully can post what works and my experience to help
> others .
> TR
>
> On Sep 2, 2010 3:08 PM, "Chris Keladis" <ckeladis () gmail com> wrote:
> > On Fri, Sep 3, 2010 at 5:24 AM, Tyler Robinson <pcimpressions () gmail com>
> > wrote:
> >
> > Hey Tyler,
> >
> > > Thanks everyone for all the ideas the enviroment has about 350 machines
> > > at
> > > least all on flat domain can't vlan due to stupid software
> > > configurations. I
> > > have several systems that have to be live all the time (911 systems) and
> > > vmware esx servers in cluster. Any other suggestions is again so much
> > > appreciated I am willing to try just about anything right now I have a
> > > lot
> > > of angry users right now due to network performace ( for there
> > > facebooking I
> > > am sure) wanting this fixed and the sheriffs department has its busiest
> > > week
> > > of the year starting sat so please no idea will not be tried.
> >
> > Ouch! Sounds like you need more hands and eyes on the problem :)
> >
> > The only thing i can think of, bar running around to 350 PCs is maybe
> > sample a few to understand what malware you've got going on.
> >
> > Make use of Microsoft's (ex-Sysinternals) tools to investigate.
> > AutoRuns, ProcExp, etc etc.
> >
> > One handy tip when using ProcExp, dont "kill" malicious processes,
> > rather, "pause" or "freeze" them. Most malware these days have SIGKILL
> > handlers to spawn their cousins when their killed and you end up with
> > more problems.
> >
> > Once you understand what you've got going on you can perhaps download
> > a removal tool and make everyone run it.
> >
> > Also keep in mind sensitive information may have been leaked by the
> > malware, so once you have a handle on the situation, change ALL
> > passwords, and follow up on anything important that might have leaked
> > out of the organization (this may have ramifications down the track).
> >
> > Most malware infections these days aren't one-off's (they use
> > droppers, stagers, load root-kits and other add-ons) so you can try to
> > control the primary infection on the LAN, but at some point manual
> > review will be needed as well, eg, booting off a USB key/CD and
> > checking for rootkits etc etc..
> >
> > Also tell people to stop using any form of removable media to avoid
> > the (re)spread in or out of the organization, until you get a handle
> > on the situation.
> >
> > Maybe you can script something and use Sysinternals tools like
> > "pslist" to copy a process list to a share you can then analyze
> > further? Maybe setup a job via the RunOnce reg-key or Scheduler and
> > ask everyone to reboot (RunOnce) or wait (Scheduler), so you at least
> > get a peak into the processes running and can make a plan of attack.
> >
> > Hope i've given you some practical advice, unfortunately since the
> > previous admin hadnt set up controls to mitigate you face a very
> > difficult task.
> >
> > But, this disaster may give you the ammunition you need to make
> > improvements! :)
> >
> >
> > Cheers,
> >
> > Chris.
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com