Handling Malware Outbreak

Given that attackers are now moving away from attacks that are merely a nuisance or destructive towards activity that is motivated by financial gain, malware attacks have become more sophisticated and a significant concern to organisations. A large-scale malware attack, often referred to as a malware outbreak, can cause widespread damage and disruption to an organisation, and necessitate extensive recovery time and effort. It is therefore crucial to implement adequate preventive measures, such as deploying protection and detection tools, to safeguard an organisation from malware attacks.

However, there is no such thing as bulletproof protection in the world of information security. It is also important that the organisation develop a robust information security incident procedure so that personnel are better prepared to handle malware outbreaks in a more organised, efficient and effective manner.

As defined in the Security Incident Handling for Company section, an incident response process should have three main stages: "Planning and Preparation", "Response" and "Aftermath". This section outlines the steps in the stages "Response" and "Aftermath" which are important to the complete handling of a malware outbreak. For more information about the "Planning and Preparation" stage, please refer to the section "Security Incident Handling for Company" mentioned above.

The "Response" Stage consists of the following five steps:

Detection and Identification

Determine fully if a malware outbreak has occurred.

The objective of this step is to determine whether a malware outbreak has occurred. Typical indications of a malware outbreak include any or all the following:

Users complain of slow access to the Internet, exhaustion of system resources, slow disk access, or slow system boots.

A number of alerts have been generated by a Host-based Intrusion Detection System (HIDS), or by anti-malware software.

There is significantly increased network usage.

A number of access violation entries have been noticed in perimeter router logs or logs.

A surge of out-bounced SMTP traffic originating from an internal IP addresses has been detected.

A large number of port scans and failed connection attempts have been detected.

The system administrator notices an unusual deviation from typical network traffic flows.

Security controls such as anti-malware software and personal firewalls have been disabled on many hosts.

General system instability and crashes.

Upon discovery of any of the above symptoms, IT staff should immediately check and validate all suspicious activity to determine if an outbreak has occurred. Once it is confirmed that this is a malware security breach, it is important to collect information about the malware, as this will be essential for the containment and eradication process.

Information about the malware can be obtained from anti-malware software vendors' websites if the malware has been around for some time, by reviewing alerts from anti-malware software, by examining firewall and router log files. The following questions can help identify the characteristics of the malware:

What kind of malware is it (Network , mass-mailing worm, , or etc.)?

How does the malware propagate (By attacking vulnerable network service? By mass mailing?)?

If the malware propagates by attacking vulnerable service, what is the vulnerability being exploited? Has a for addressing the vulnerability been released? What are the services or ports that are being attacked?

Does the malware plant on the infected system?

How can the malware be removed from the affected system? Are there any removal tools available?

Perform preliminary assessments

Once an outbreak is identified, IT staff should assess the scope, damage and impact of the outbreak in order to effectively deal with it.

Record all actions taken

IT staff should record all actions taken to deal with the outbreak and any corresponding results. This can facilitate incident identification and assessment, and provide evidence for prosecution or other useful information for subsequent incident handling stages. Logging should be carried out throughout the whole security incident response process.

Escalation

The second step in incident response is to notify all appropriate parties and escalate the incident to the appropriate level following a predefined escalation procedure. The information provided during the escalation process should be clear, concise, accurate and factual. Providing inaccurate, misleading or incomplete information may hinder the response process or may even worsen the situation. It is crucial to bear in mind that information about incident should be disclosed only on a need to know basis.

Containment

The third step of response to a malware incident is containment. The following are activities that should be carried out in the containment stage:

Identify infected systems
Clearly identifying the infected systems is always the first step in containment. Unfortunately it is also a very complicated process due to the dynamic nature of today's IT environment. The following are some suggestions that may help identify infected systems in a managed environment:

Perform thorough malware scanning on all the systems with the latest malware definitions as well as with updated anti-malware detection and repair engines. As no single anti-malware software can uncover all types of malware, it may be necessary to use more than one anti-malware scanning tool to ensure that all malwares are detected.

Review all log files of routers and firewalls.

Provide users with instructions on how to identify infections.

Configure IPS or IDS to identify activities associated with infections.

Perform packet sniffing routines to look for the network traffic matching the characteristics of the malware.

Contain the outbreak
Containing the outbreak can be done in various ways; the following are common tactics:

By using automated tools
Containing the spread of the malware can be done with automated tools, such as anti-malware software, IDS and IPS. If the malware is not detected by existing anti-malware protection systems, even with the latest definition applied, support from anti-malware software vendors should be sought to create a new definition which covers the malware.

By disabling connectivity
A malware outbreak can be effectively contained by quickly disconnecting infected systems from the overall network infrastructure, which can be accomplished by applying access controls on network devices or physically disconnecting network cables. In some cases, in order to contain the spread of malware to other sections of the organisation, it may be necessary to temporarily disconnect the network segments concerned from the network backbone. However, this containment strategy will certainly affect the operation of other non-infected systems in the segment.

By disabling services
Malware may propagate through network services, for example network shared drives. Temporarily blocking or even shutting down the network services used by malwares helps to contain incidents.

By eliminating vulnerability
Malware may spread by attacking vulnerable network services. By addressing the vulnerabilities that have been exploited by the malware, such as applying security patches on vulnerable systems, the propagation channels can be eliminated, hence containing the spread. In addition, some mis-configuration, such as loose access controls on network-shared drives, can also be leveraged by malware. By rectifying mis-configurations, the spread of a malware can be contained.

By user participation
User participation is significant to the containment process in an environment where only a limited number of technical support staff are available to handle an outbreak, for example in small remote branch offices or in a non-managed office environment. Users should be provided with clear instructions on how to identify infections and what measures should be taken if a system is confirmed infected, such as running the anti-malware removal tools on the infected system.

Keep records of all actions taken
It is important to keep a solid record of all actions taken at this stage, because some containment measures may require temporary modifications to the configuration or settings of network infrastructure and systems. These modifications will need to be removed after the incident.

It is important to understand that stopping further infection by the malware does not necessarily prevent the further damage to infected systems. For instance, the infection can be contained through disabling network connectivity. Yet, the malware may be still actively deleting files on the infected system. Therefore, a full eradication process should be carried out as soon as possible or in parallel with the containment process.

Eradication

Eradicating a malware outbreak should be designed to remove the malware from all infected systems and media, and rectify the cause of the infection. Prior to carrying out the eradication process, it is advisable to collect all necessary information, including all log files, which may have to be deleted or reset during the clean up process, which will be useful in subsequent investigations.

Anti-malware scanning software and removal tools are commonly used as the primary means of eradication. However, in some cases, it may be necessary to rebuild infected systems from scratch. For instance, if the malware has downloaded and planted a backdoor on infected systems, rebuilding all systems may be the most reliable action to be taken in order to restore the integrity of the systems. Rebuilding a system generally includes the following actions:

Reinstalling the system from a trusted source, such as system installation disk or trusted, clean system image.

Securing newly installed systems, such as checking and ensuring that the latest definitions as well as the updated anti-malware detection and repair engines, and necessary security patches have been applied on each machine.

Restoring data from known, clean backup media.

Recovery

Clearly, the main purpose of the recovery step is to restore all systems to normal operation. In a malware outbreak, recovering the functionality and data of infected systems may have already been carried as part of the eradication process. Apart from restoring the infected systems, removing any temporary containment measures, such suspended network connections, is another main aspect of the recovery process.

Prior to removal of the containment measures, one important step is a pre-production security risk assessment to ensure that no infection is detected, and that the cause of the original infection is rectified.

All related parties should be notified before the resumption of suspended services. IT personnel should restore specific functions and servers stage by stage, in a controlled manner, and in the order of demand, e.g. the most essential services or those serving the majority should resume first. After resuming the suspended services, it is important to verify that the restoration operation has been successful and that all services are back to normal operation. Additional monitoring measures may be implemented to watch for any suspicious activity in the network segments concerned.

Aftermath

Restoring infected systems to normal operation does not mark the end of a malware outbreak. It is also important to perform necessary follow up action. This may include full evaluation of the damage caused, system refinements to prevent recurrence of the incident, updates to security policies and procedures, and investigation of the case for subsequent prosecution. Activities in this stage can include the following:

Review the effectiveness of existing malware protection procedures and mechanisms, including central control and management on malware definitions distribution and detection and repair engine update, scheduled regular malware scanning, etc.

Update relevant policies, guidelines and procedures whenever necessary.

Enforce the new security measures introduced in the reviewed policy / guidelines / procedures to protect systems against future attacks.

Remind users to follow security best practices, such as not opening email from unknown/suspicious email sources, updating security patches and malware definitions on a regular basis and whenever necessary, etc.