Tuesday, June 27, 2006

Incident Reponse: I Got a Virus

Sometimes I deserve a big kick in the arse. Last night while browsing, I zigged when I should have zagged and caught a nasty little virus. I wasn’t browsing porn sites, if that’s what your thinking, which is too bad, at least I would have gotten some eye candy for my trouble. But I am not too upset, I have been looking for a good excuse to re-format this machine. The virus/virii have all the same staples of recent malware, such as annoying pop-ups, and lame attempts to put things into the Windows startup, and really lame attempts to try to convince me that they are, in fact, virus scanners warning me of an infection. I didn’t check outbound traffic, but I’m sure there’s some attempts to spam. Virus scanner failed to pick it up and AdAware is not finding it in scans, and removing the startup items didn’t stop them from reappearing. Plus, really strange DLL files appeared and are loaded from startup. Attempting to delete the DLLs failed, even from safe mode, or they too re-appeared. Oh well, it happens. I could probably remove it with some persistence, however I am chalking it up as a compromise. With no faith in the system it is time to implement the Incident Response plan. Fortunately this is a non-critical system, so I’ve isolated it from phoning home and from infecting any further systems, or from being a pain and spamming. Reformatting and re-installing is the only viable option at this point. The plan is as follows:

-Boot from a trusted media to backup a few key files that are not already backed up, such as a VMWare DOS virtual, photos of my trip to Vegas and some COBOL source code
-Wipe the drive
-Reinstall an OS (either Windows or Ubantu, haven’t decided). Fortunately I do have a trusted disk image, so it will only require a good ‘ole DD of the disk from that image.
-Restore backups except for the photos. Those will need to be verified individually to insure they have not been tampered with by the infection.

The lesson here, besides to practice safe browsing habits is in the event of a compromise, trust cannot be re-obtained, so be sure to have a good Incident Response Plan.

No comments: