Preparation

If a system is suspected of being "infected" or of

1 Identification
2 Identification
2
General signs of malware presence on the desktop Unusual Processes and Services
performing maliciously, isolate it and contact your
security team/officer or the internal incident response capability Several leads might hint that the system could be compromised ■ Check all running processes for unusual/unknown entries,
who is authorised to perform forensics activities for support. by a malware: especially processes with username “SYSTEM” and
■ Antivirus or other security system raising an alert or “ADMINISTRATOR” :
Maintenance and availability of the following: unable to update its signatures or stopping to run or o C:\> taskmgr.exe

■ unable to run even manually ■ (or tlisk, tasklist depending on Windows release)
Keep an update list of persons who need to be contacted
in case of such an incident
■ Unusual hard-disk activity: the hard drive makes huge ■ Look for unusual/unexpected network services installed
operations at unexpected time. and started:
■ Take regular snapshots of usual network performance and ■ Unusually slow computer: while it was usually delivering o C:\> services.msc
local activities of the system, including description of usual good speed, it got slower recently o C:\> net start
port activity, to have a comparison baseline with current ■ Unusual network activity: Internet connection is very slow ■ Note : a good knowledge of the usual services is needed.
state. or not available at all.
■ Ensure there is a good knowledge of the impacted
■ The computer reboots without reason.
Unusual Network Activity
■ Check for file shares and verify each one is linked to a
infrastructure, including services and installed
applications. Do not hesitate to ask a Windows expert for ■ Some applications are crashing, unexpectedly. normal activity:
assistance. ■ Error messages and Pop-up windows are appearing while o C:\> net view \\127.0.0.1

■ Activate system logs and monitoring tools, and analyse

browsing on the web (sometimes even without ■ Look at the opened sessions on the machine:
browsing).k o C:\> net session
the logs regularly.
■ Your IP address (if static) is blacklisted on one or more
■ , including dates and times,
Take notes of important details, Internet Black Lists. ■ Have a look at the shares the machine has opened with
which may later help the investigator. ■ People are complaining about you e-mailing other systems:
■ Prepare a read-only media like a CD with a trusted them/reaching them by IM etc. while you did not.
■
o C:\> net use
Check for any suspicious Netbios connexion:
version of all executables that you will run during the
identification phase. This includes all executables listed in Actions below use default Windows tools. Authorized users can o C:\> nbtstat –S
this paper and the command line (cmd.exe). Before use the Sysinternals Troubleshooting Utilities to perform these ■ Look for any suspicious activity on the system’s
starting the identification phase: tasks TCP/IP ports:
1) start the trusted cmd.exe o C:\> netstat –na 5
2) set your path to first point to the folder hosting all Unusual Accounts
■ (-na 5 means sets the refresh interval to 5 seconds)
trusted executables. Look for unusual and unknown accounts created, especially in ■ Use –o flag for Windows XP/2003 to see the owning
the Administrators group :
■ Facilitate physical access to the suspicious system for the o C:\> lusrmgr.msc o
process:
C:\> netstat –nao 5
forensic investigator to safeguard a forensic copy of the
evidence right from the start. ■ Note: A good knowledge of the legitimate network activity
Unusual Files is needed.
■ It is recommended to do the copy as soon as possible
■ Look for unusually big files on the storage support, bigger ■
with a minimal number of commands run on the
suspicious system to limit the loss of evidences. than 10MB seems to be reasonable. Unusual Automated Tasks
■ Look for unusual files added recently in system folders, ■ Look at the list of scheduled tasks for any unusual entry:
1) Win32dd or win64dd can be used to acquire the especially C:\WINDOWS\system32.
memory. ■ Look for files using the “hidden” attribute: ■
o C:\> at
On Windows 2003/XP : C:\> schtasks

2) dd, dc3dd or imager tool can be used to acquire the

o C:\> dir /S /A:H ■ Also check user’s autostart directories:
o C:\Documents and Settings\user\Start
disk. Unusual Registry Entries Menu\Programs\Startup
Note that this procedure may require a power-off the
machine which may erase evidences of infection. Look for unusual programs launched at boot time in the o C:\WinNT\Profiles\user\Start Menu\Programs\Startup
Obtain the approval before proceeding in line with Windows registry, especially:
your local policy. HKLM\Software\Microsoft\Windows\CurrentVersion\Run Unusual Log Entries
HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx ■ Watch your log files for unusual entries:
HKLM\Software\Microsoft\Windows NT\CurrentVersion o C:\> eventvwr.msc
\Winlogon o C:\systemroot\Winnt32.log
Check for the same entries in HKCU
HKLM\System\CurrentControlSet\Services
 ■
Identification
Search for events like the following :
2 Recovery
Rebuild the workstation from a standard known
5
o “Event log service was stopped” good configuration (reference configuration/gold build) is
o “Windows File Protection is not active” the safest method. Security White Paper 2011-003
o “The protected System file <name> was not restored
This method may however inconvenience the user considerably
to its original” as usually the user-specific customisations are lost causing
o “Telnet Service has started successfully” Incident Response Methodology #7
considerable effort on the user's part to return to a working
■ Watch your firewall (if any) log files for suspect activity. system.
You can also use an up-to-date antivirus to identify Guidelines for handling common malware
malware on the system, but be aware that it could destroy infections on Windows based workstations
evidence.
■ In case nothing suspicious has been found, it doesn’t
mean that the system is not infected. A rootkit could be Report
Aftermath
6 ___________________________________________________

active for example, distracting all your tools from giving An incident report should be written and relevant information Authorised User: CERT-EU
good results. distributed on the basis of the need to know principle. Sensitive
■ Further forensic investigation can be done on the system information should be sanitized
E-Mail: cert-eu.@ec.europa.eu
while it is off, if the system is still suspicious. The ideal
The following themes should be described: Web: http://cert.europa.eu/
case is to make a bit-by-bit copy of the hard disk
■ Initial detection.
containing the system, and to analyse the copy using
■ Actions and timelines.
Last updated : 15 May 2012
forensic tools like EnCase or X-Ways.
■ What went right. o
■ What went wrong.
■ Incident cost.
■
Containment
After having analysed the impact on the service, and after
33 Capitalize
Whether the incident led to disciplinary action or
prosecution

having received the approval from the incident response

handler, physically disconnect the infected machine from the
Actions to improve the Windows malware detection processes Abstract
should be identified to learn from this experience.
network by unplugging the network cable.
This Incident Response Methodology is a cheat sheet dedicated
to handlers investigating IT security incidents.
Who should use these sheets?

Recover the users’ data

Eradication
4 Incident handling steps
6 steps are defined to handle security Incidents
This guidelines may be used by IT professionals in coordination
with security team/officer or the internal incident response
capability of your organisation/Institution.

Remove the hard disk and deliver it to the internal incident J Preparation: get ready to handle the incident In specific cases, in particular if the malware is advanced,
response capability who will take a forensics copy and recover J Identification: detect the incident performing such activities may make prejudice to the analysis of
important data on user’s request. J Containment: limit the impact of the incident the incident. Therefore, no investigation shall be performed prior
J Eradication: remove the threat approval from the team in charge of responding to incidents
Remove the binaries and the related registry entries. J Recovery: recover to a normal stage within the organisation
J Aftermath: draw up and improve the process
It is usually sufficient to run a full antivirus scan using known
good sources for the antivirus software and signatures. IRM provides detailed information for each step. WARNING
This White Paper is being issued by CERT-EU without prejudice
■ Find the best practices to remove the malware. They can to any policies, procedures or standards which the effected
usually be found on antivirus companies websites. organisation may already have in place. It is intended as an
■ Run an online antivirus scan. aide, to IT specialists working in coordination with security
■ Launch a Bart PE- based live CD containing disinfection The original author of this incident response methodology team/officer or the internal incident response capability of the
tools (can be downloaded from AV websites), or a is the Incident Response Methodology (IRM) Author: Institution, for cases where the persons responsible must act
dedicated anti-virus live CD. CERT-SG / Cédric Pernet immediately and/or do not have other superseding policies,
IRM version: 1.2 procedures and standards to address the problem. Persons
for more sophisticated types of malware, this method may not responsible for dealing with information security matters should
be sufficient. In such cases the safest approach is to rebuild the E-Mail: cert.sg@socgen.com primarily abide by the policies, procedures and standards of
system from scratch. Web: http://cert.societegenerale.com their respective organisations.
Twitter: @CertSG