How To: What To Do Before, During, And After A Malware Attack

Responding To An Attack

• Disconnect infected/compromised systems from networks. However, do so carefully: Some malware programs do regular checks to determine that "member systems" -- infected systems on a network -- are still connected. If the malware finds that any of the previously infected systems are not on the network, the payload may activate.

• Clean the infected systems using the anti-malware software you already have in place. Make certain that the signature definition files are up to date -- expect that the really dangerous malware executable signature was in last night's signature file.

• Determine what the actual target of the attack was and check its integrity. If it's clean, make a backup. The malware's malicious payload may not have been activated yet. Clean up your systems before it does.

• Assume that the malware did more than attack a few copies of Solitaire and that your business systems have been compromised. Further, assume that you may well have missed an infected system in the cleanup effort -- think about the possibility of stealth infections. Run scans on systems booted clean from write-protected floppies, from CDs, or from safe partitions to be sure the system being scanned is infection-free.

• Determine the entry point of the malware problem. This will help you find out what went wrong and secure the network, servers, and systems from being the entry-point next time.

• Systems get infected with malware all the time. It happens. Don't be ashamed and try to handle the problem by yourself. Your response team should include some real experts; use them. It's what they get paid for.

• For experts only: If you know what you're doing, allowing a virus, worm, or other malware to spread on your system and watching it as it does so can be quite enlightening. If you're not sure you can contain it, though, don't risk it!

Restoring Services And Systems

• Change all passwords on all systems and servers.

• Make sure to restore only from clean backups, made from systems that have been checked for malware.

• If your system(s) came under active attack, it may again. Examine all firewall logs to try to determine the source IP of the attack.

• Scrupulously monitor all network activity to be sure the malware isn't still lurking around and new back doors haven't been created.

Replaying The Response

• Get the malware team together to discover what can be learned from the incident.

• Determine how effective the team's actions were and whether these actions can be made more effective. The team's management representative should be able to implement suggested changes as required.

• Tell the story of what happened to upper management to prepare them for the next time. If nothing happened aside from the attack itself, great! Your planning worked perfectly.

Ross M. Greenberg is the author of the early antivirus programs Flu_Shot and VirexPC. He now consults and writes mainly on security-related matters.

Back to main story: "20 Years Of PC Viruses"