Kurt Dillard: First, it's a good idea to take the affected systems off the network. Next, you need to decide how much time you are willing to invest. Do you want to collect evidence for possible criminal charges? That will be very time consuming and you'll have to carefully follow proper evidence collection procedures. Do you want to determine the root causes of the incident so you can take specific steps to close whatever vulnerabilities were exploited? This also takes a significant amount of time. Or, like most of us, are you painfully short on time and simply want to recover from the problems as quickly as possible? Whichever path you choose, I hope you have a solid incident response plan established before the problems arise. If you don't, make sure you get one down on paper that fits your organization's business requirements.
Collecting information systems evidence that can be used in a court of law requires strict procedures for documenting everything done and protecting the original data. I suggest you work with your organization's legal representatives and some industry experts to establish a plan before an incident occurs. You'd want to do things such as using a byte-for-byte copy tool (i.e., Guidance Software Inc.'s EnCase, AccessData Corp.'s FTK Imager, or X-Ways Software Technology AG's WinHex); storing the affected systems in a safe location; and doing all forensic work on the copies created with these tools.
Figuring out the details of what happened might take a lot of time, but it can be fascinating and educational. These are some rootkit detection tools:
- RootkitRevealer (from Mark Russinovich and Bryce Cogswell, established and respected security experts)
- Blacklight (from F-Secure Corp., a well-known security software vendor)
- Klister (from the author of FU, a nasty kernel mode rootkit -- you decide whether you want to trust your network to this programmer)
Each of these tools has unique capabilities and drawbacks. I prefer RootkitRevealer, but malware authors are constantly updating their tools in order to evade the latest detection applications, so even my favorite may not be able to identify all of the malware. You may need to manually undertake the procedures described in the Strider GhostBuster white paper, published in 2004 by Microsoft Research. In a nutshell, you take a snapshot of the system while booted up, collecting information such as the directory listing for each storage volume. Then you boot from an alternate OS and compare what you see on the clean OS to what you see on the compromised OS.
If you're out of time, move directly to the recovery stage after removing the affected machines from your network.
Lawrence Abrams: If the rootkit that you find looks to be a generic one that is bundled with a variety of malware, then disconnecting the computer should be sufficient as your first measure. This will stop its spreading and the possibility of downloading and installing more malware.
On the other hand, if you determine that it is a targeted rootkit, one that a person specifically hacked the machine to install, then you should follow your organization's intrusion policy. Unfortunately, the majority of companies do not have a policy for these types of incidents. At a minimum, if you may possibly pursue legal action, then you should immediately make a forensically sound image of your hard drive and store the original computer away so that it can be used as evidence in a court. If you do not plan on pursuing legal action, then you can move forward to the recovery stage.
Kevin Beaver: My initial recommendation would be to disconnect the computer from the network -- but only if you can afford to do so (i.e., if it won't affect major business operations). This can help prevent any malware from spreading or otherwise affecting other network computers. Secondly, install/run the applications I mentioned in the diagnosis stage. You may have to let them run to monitor system activity. Once a system is infected, however, it can be difficult, if not impossible, for detection programs to get a good baseline of what's normal or good behavior. It depends on how the specific tool works.
Stage three: Recovery
About the experts: Expert bios are available on the scenario page.
This was first published in August 2005