Previous

Next
DOWNLOAD PDF

Previous

Next

Previous

Next

JULY 2014

Remove Malware
For Good
Previous

Download

Subscribe

Blocking it isnt enough you must wipe out malware

and prevent its recurrence. Here are five proven strategies. >>
By Ericka Chickowski

Powered by

Next

Register
Previous

Next

DOWNLOAD PDF

Previous

Next

Previous

Next

Next

Previous

Download

Subscribe
Techs Cutting Edge
Interop New York is the premier
event for the Northeast IT market. Join more than 5,000 attendees to learn about IT leadership,
cloud, collaboration, infrastructure, mobility, risk management,
and SDN, and explore 125 exhibitors offerings. Register with
Discount Code MPIWK to save
$200 off Total Access and Conference Passes. It happens Sept. 29
to Oct. 3.
Register
Previous

Next

Previous

darkreading.comNext

Previous

Next

Remove Malware For Good

Blocking it isnt enough you must wipe out malware and prevent its recurrence.
Here are five proven strategies.
By Ericka Chickowski

@ErickaChick

n a perfect world, companies would detect and block all malware before it takes
root. But in the real world, there is always
some malware that evades all defenses
and hits its mark. This is why we need malware remediation and removal.
As companies develop their malware response practices, they must consider not only
how to fix and return endpoints to normal operations, but how to make sure the malware
theyve found on one machine hasnt spread.
Understanding this requires looking more
closely for related malware that may have
wormed its way deeper into a network and
instituting strategies to protect their systems
from similar infections in the future. Here are
five strategies for finding and removing malware and stopping its recurrence.

1. Remedy The Worst Infections Quickly

Most companies simply dont have enough
boots on the ground to deal with all the infections a department faces. Brian Foster, CTO of
advanced malware detection and response
vendor Damballa, says that customers report
theyre juggling an average of 97 infections
on a daily basis.
If youve only got one infection, thats super-easy thats the one you go deal with,
Foster says. If you have multiple infections,
then youve got to figure out how to prioritize.
One of the first ways to start creating a priority list, says Foster, is to consider the asset
thats infected, its value to the business, and
the risk of the data it contains or connects to.
If its a receptionists laptop, that could be
a lower risk. If its a [point of sale] machine, its

potentially a higher risk, he says.

Other key factors are the severity, type, and
prevalence of the malware in question. A
company with little e-commerce presence
may consider a common, older piece of clickfraud malware less risky than a new password
stealer. Companies should also take into account how many bytes are coming into an
infected asset or leaving an asset through the
malwares command and control channels.
These factors should determine not only in
which order to respond, but how in-depth the
response should be, Foster says. A low-risk
device infected by a common piece of malware can be addressed in due time by an automated tool to remotely reimage the device.
But if its a more important device thats been
infected by an information-stealing malware
July 2014 2

Register
Previous

Next

[REMOVE MALWARE FOR GOOD]

Previous

Next

Previous

Next

Previous

Download

Subscribe

Next

line, youre going to need forensics.

Youll need to use forensics tools to capture
the information on the device for forensics
analysis and either replace it or reimage it
after youve pulled the forensics information
for continued uptime, Foster says.
The shortage of forensics and IT security
staff is spurring the growth of new tools
dubbed automated malware removal. Tools
such as the Sophos Malware Remediation
Toolkit from Sophos and HawkEye G from
Hexis Cyber Solutions are designed to detect, investigate, and remove sophisticated
malware before it can execute its purpose. By
deploying more automated tools, enterprises
can potentially save limited staff resources
and remove malware more immediately.
2. Reimaging: ITs Blunt Instrument
Despite the vast research and development
thats gone into security technology, the simplest and fastest way to fix an infected machine is still to simply reimage it. Reimaging
is ITs blunt instrument for killing malware.
Often, starting from a clean slate is the only
way to ensure that nasty and pervasive strains
of malware are completely nuked.
But if reimaging is the answer, then IT departments must remember that one of the

darkreading.com

Security Breaches
Which types of security breaches or espionage have occurred in your organization in the past year?
2014

2013

Malware (e.g., viruses, worms, botnets)

69%

76%

Phishing

59%
53%
Web or software applications exploited

35%
11%
Denial of service

26%
21%
Theft of computers or storage devices

25%
23%
Operating system vulnerabilities attacked

24%
22%
Database, content, or data management system compromise

22%
16%
Website vandalized or site content manipulated

10%

30%
Physical break-in

7%
7%
Mobile applications intrusion

6%
6%

Data: InformationWeek Strategic Security Survey of 123 business technology and security professionals at organizations experiencing a security
breach withing the last year with 100 or more employees in April 2014 and 217 in March 2013
July 2014 3

Register
Previous

Next

[REMOVE MALWARE FOR GOOD]

Next

Previous

Next

Previous

Previous

Download

Subscribe

Next

most valuable tools in remediation is a solid

backup and recovery system.
If you dont have good backups, and you
get nailed, then youre in trouble because
even garden variety malware is difficult to remove, says Roger Thompson, chief emerging
threats researcher for ICSA Labs, an independent division of Verizon that provides thirdparty testing of security products.
For example, take the recent rash of ransomware outbreaks by Cryptowall and similar
copycats. These attacks let the bad guys hold
corporate systems hostage by encrypting
them and extorting companies for money in
exchange for an encryption key.
In some of these variants, the crypto elements are improperly coded and the antivirus guys can figure out how to unencrypt,
Thompson says. But if theyre properly encrypted, you might have to pay your ransom
or youre in trouble unless youve got a
good backup to restore from.
3. Automation Plus Human Interaction
While standard protocol may be to reimage machines when malware hits, companies
should strive for a more efficient approach, says
Anup Ghosh, CEO of Invincea, an advanced
malware detection and response vendor.

darkreading.com

Formal Approach
Does your organization have a formal security operations center or team that actively manages security incidents and
events as they are generated?

No

28%

58%

Yes

14%
No, but we are building one within the next year

Data: InformationWeek 2014 Strategic Security Survey of 536 business technology and security professionals at organizations with 100 or more
employees, April 2014

If I can isolate malicious processes and

identify things like registry entries that they
create, that could be far more efficient than
taking someone offline for a period of time or
potentially losing their data, Ghosh says.
This approach requires that IT teams identify
deeper symptoms of infections or indicators
of compromise and provide more targeted
remediation systems.
This has prompted the rise of new advanced
persistent threat detection and remediation
technologies, including not only vendors

such as Invincea and Damballa, but also companies and products that detect and repair
targeted threats in various ways, including
FireEye, CrowdStrike, CounterTack, and Fidelis
Cybersecurity Solutions.
Companies need more automation to deal
with the scale of frequent attacks, but Foster
says IT teams should balance automation with
human interaction. IT doesnt want roundtrip automation; they want to have a human
there for one last sanity check, he says.
There are cases where automatic reimaging
July 2014 4

Register
Previous

Next

[REMOVE MALWARE FOR GOOD]

Previous

Next

Previous

Next

Previous

Download

Subscribe

darkreading.com

Next

might be a mistake, and a human decision

may be required. For example, a malware
case that initially looks like a case for automatic remediation to the system may contain clues that show its part of a larger infection that requires forensic investigation
by a person. This stopgap measure allows
an expert to look into those clues before
theyre erased by an automated tool.
Automation, together with better integration with the entire IT security tool
stack, can also be used to help mitigate
the risks of active infections while staff
concentrate on malware elsewhere in the
infrastructure or while incident responders dig for more information.
Youre also starting to see tools that integrate with products like ours, says Foster, where we see an infected asset that
came in through the firewall or IPS, and
we can tell that tool to start blocking that
particular device until it gets remediated.
This level of required teamwork between remediation tools and network security tools to shut down malware has been
a big driver for partnership programs of
late between next-generation firewall and
IPS vendors like Palo Alto Networks, Check
Point, and Ciscos Sourcefire and advanced

threat detection and response systems.

If you can integrate with your prevention tool, you can do things to mitigate
damage until you can get a human to
investigate, Foster says.
4. Malware Analysis
While for most companies the No. 1 concern is getting users or systems back up
and running, that shouldnt be the only
focus of a malware response.
What then are the questions responders
should ask after systems are back up?
IT teams need to understand what
data was potentially breached, how widespread an incident is, and what type of
adversary is behind it, Ghosh explains.
Of course, digging into malware indicators on a machine isnt just about finding information that will help discover
propagation elsewhere. Enterprises must
also dig deep enough into the device to
ensure that the malware doesnt leave
behind mechanisms for reinfection or for
downloading other forms of malware.
Again, automated tools can help with an
avalanche of infections, but truly effective
malware analysis takes human intervention to dig up all the hidden hooks that
July 2014 5

Register
Previous

Next

[REMOVE MALWARE FOR GOOD]

Previous

Next

Previous

Next

Previous

Download

Subscribe

Next

malware may have on a machine, says Lucas

Zaichkowsky, enterprise defense architect for
forensics and security firm AccessData.
Most attackers these days, Zaichkowsky
says, spread malware through dropper technology that plants multiple types of malware
at different points in the system to help mask
intentions and slip hidden variants in unknown places on the system.
Frequently, the first-stage malware dropper

If youre just reimaging machines,

youre losing really valuable forensics
that tell you about your adversary.
Anup Ghosh, Invincea

is programmed to install second-stage droppers that plant even more sophisticated malware. And all too frequently, automated analysis engines miss these second-stage droppers.
Zaichkowsky recommends incident responders take advantage of free Windows
Sysinternals tools like Process Explorer, Process Monitor, and Network Monitor, along
with another free tool called ApateDNS, to dig
in and gain better understanding of how malware is interacting with the system as it executes. (He suggests that those who dont have
darkreading.com

much experience with this kind of manual

analysis start boning up by listening to a talk
recorded by Sysinternals creator Mark Russinovich called Advanced Malware Cleaning.)
These tools allow you to find some really
amazing indicators throughout your log files,
your network traffic, and your other endpoints
that lead to related variants that are still out
there in your environment, Zaichkowsky says.
5. Network Intelligence Gathering
The search for downstream infection is the
main reason why simply reimaging devices is
not effective enough. In the end, that strategy
doesnt help figure out how a single malware infection may be a symptom of a larger
breach incident across the network.
If you run a network or youre a CISO, your
job is not only to prevent the breach and clean
up after malware, but also learn your threat
environment, Ghosh says. So if youre just re
imaging machines, youre losing really valuable
forensics that tell you about your adversary.
Companies now want to be able to collect
the forensics in an automated fashion and then
send it up to a cloud-based service to do analysis about their adversaries.
Advanced companies are using threat intelligence services to correlate what theyre see-

ing in infected systems, along with behavioral

information collected about their network
activity. Such crowdsourced information,
collected anonymously from many environments, helps companies compile a better
real-time picture of how malicious actors are
using malware to carry out attacks.
But even without an outside threat intelligence feed to tell a company how its malware infections stack up, collecting in-house
intelligence on internal network traffic and
outbound network traffic will help provide
the digital bread crumbs responders need to
detect how far a malware outbreak has spread.
Enterprises can learn a good deal by using
simple tools and processes, such as logging
and monitoring endpoint events and examining NetFlow traffic, wrote Christopher Morales
and Jason Pappalexis, analysts for testing and
analyst firm NSS Labs, in a recent report. Internal network analysis tools also provide context around more universal behaviors on the
network that could have led to the infection.
This could include behavior indicating reconnaissance or replication-related behavior like
excessive internal scans or pings from one machine followed up by similar behavior exhibited by machines targeted in the initial scans.
Similarly, examining outbound traffic on
July 2014 6

Register
Previous

[REMOVE MALWARE FOR GOOD]

Previous

Next

Previous

Next

Previous

Download

Subscribe

Next

at-risk devices can help uncover malware

remnants lurking on devices that may need
further remediation to prevent a future
breach.
Malware today is on demand, so it needs
to check in frequently with the command and
control (C&C) hierarchy to get instructions,
even if the instructions from C&C are to do
nothing, Mike Rothman, analyst for security
analyst firm Securosis, explains. That means
you have an opportunity to detect this C&C
traffic and remediate the device before it gets
involved in something bad.
This kind of due diligence helps to remedy a
malware outbreak at a time that Department
of Defense employees call left of boom.
It refers to the concept of having intelligence about your adversary on how they
might hit you and then taking steps to prevent that breach in the first place, Ghosh says.
Ultimately, that should be the goal of any
incident response team: to neutralize and
remove a specific malware infection, but also
to stop persistent attackers from eventually
stealing valuable information.

Top 10 Attack Results

What were the effects of the attack(s) on your company?
2014

Network or business applications unavailable

Copyright 2014 UBM LLC. All rights reserved.

darkreading.com

42%
36%

Intellectual property theft or information confidentiality compromised

34%
25%
Minor financial losses

28%
23%

Customer records compromised

21%
14%

Violated government regulations regarding data security

18%
16%
Other internal records lost or damaged

16%
12%
Identity theft

12%
9%

Legal liability

12%
Alienated customers

9%
8%
10%

Fraud

Write to us at editors@darkreading.com

2013

8%
7%

Data: InformationWeek Strategic Security Survey of 123 business technology and security professionals at organizations experiencing a security
breach within the last year with 100 or more employees in April 2014 and 217 in March 2013
July 2014 7