Lawrence Abrams: Using patch management tools or manual intervention, make sure all computers have antivirus, spyware removal software and Windows updates installed. Each computer should be armed with not only AV software, but also at least two antispyware programs.
Kevin Beaver: If a formal investigation is not going to be pursued, the main concern here is making sure the system is clean before putting it back online. This may involve restoring it from a known good backup, or if that's not reasonable, booting it up (off the network) and running various utilities such as antispyware, antivirus, rootkit detection/removal, TCP/UDP port mappers, personal firewall with application protection, etc., to make sure it's clean.
Also, change any passwords that would've been stored on the local system (Windows, AIM, etc.). Once the system is clean, you can install a network analyzer on it (preferably a commercial program such as Sniffer or EtherPeek that's easy to use) before putting it back on the network.
The next step would be to start capturing packets or at least
Requires Free Membership to View
When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.
Margie Semilof, Editorial Director
monitoring protocols and connections to ensure nothing suspicious or malicious is going on.
Tony Bradley: Assuming that the pings to both addresses work, I would do a tracert to an external Web site to determine where communication is failing. Assuming that the system is a Windows operating system, I would check the event, system and security logs for any information or evidence of suspicious activity. Obviously, the ports discovered from the Netstat scan should be investigated. I would do a Google search for the suspicious port numbers to identify known Trojans, backdoors or other malware that utilize those specific ports.
Your response, both initial and long term, depends on your company policies and your own abilities. Many companies have a policy to simply reformat or re-image a machine that appears to be compromised, and doing so virtually guarantees the problem will be removed -- at least short term.
If deeper forensic investigation is warranted, the machine could be quarantined or an image of the drive created. However, doing so requires resources in terms of people, equipment and time, and the results may not be worth the time invested to find them.
Stage four: Preventative measures
About the experts: Expert bios are available on the scenario page.