Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Periodic reminder of best practices for cleaning up after infection. - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Periodic reminder of best practices for cleaning up after infection.
Well, it was a rather quiet day at the ol' Storm Center today.  We did, however, get an e-mail similar to ones we get rather frequently, that is probably worth talking about again.  This e-mail was from an admin who had 50 machines infected with a particularly nasty worm and they were told by their A/V vendor that they didn't have a way to clean out the infection.  We've written on the subject on multiple occasions in the past, so I won't go over all of the rationale again (see the links below).  The short answer, though, is that once you've been infected by malware that installs a backdoor or connects to a botnet, simply cleaning up the initial infection (and the hole through which the infection occured) isn't sufficient because you can't be sure what secondary infections you may also have.  Although most people don't want to hear it, at this point your best bet is to nuke the machine and reinstall (and patch) from scratch.

Here are some of the stories we did on the subject in the past.

http://isc.sans.org/diary.php?date=2004-05-16 by Pat Nolan and
http://isc.sans.org/diary.php?date=2004-05-03 by yours truly.

------------------------
Jim Clausing, jclausing ++at++ isc.sans.org
I will be teaching next: Malware Reverse-Engineering Challenge - SANS New York City 2019

Jim

405 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!