Video Screencast Help
Security Community Blog

How to do Zero-Day malware remediation remotely

Created: 28 May 2009 • 7 comments
Bored Silly's picture
+4 4 Votes
Login to vote

A Zero-Day virus is defined as, "a previously-unknown computer virus or other malware for which specific antivirus software signatures are not yet available."    Everybody has their different tricks and techniques when it comes to dealing with Zero-Day remediation.  This is what I do when someone calls me suspecting they are infected on my network.

1. You’ll need a copy of the PSLIST tool from the Sysinternals or PSTools Suite. From a command prompt launch: PSLIST -s \\computer-name or PSLIST \\computer-name

  • Note: Drop the -s to see a static view of the processes but keep in mind that some malware only stays visible for seconds or will constantly change it's port numbers.
  • Note #2: You hit ESC to exit the -s mode

2. Examine the list of running processes to see if any unusual processes exist.  Keep in mind that malware can hook into or spoof to appears as legimitate processes.

3. If you run across one that doesn’t look familiar, you can investigate it by querying the process name in a web search engine (google, yahoo, etc).  If nothing shows up on that process then it is suspect but keep in mind it could also be a custom application.

4. Once you find the malicious process, UNC to the PC and search the computers filesystem for the name of the process. 

5. Once you locate it on the hard drive, add it to an archive file (zip, rar, etc) and copy that to your Desktop.  You archive it to ensure you don’t accidentally launch it and infect your own PC.  Submit the archive file to http://www.virustotal.com to see if it’s a known virus by any of the major antivirus vendors.

6. If the process is found to be malicious, then kill the process on the users system (explained in step 7) and delete the file on THEIR system (not the one you copied to yours!!!!!!). You need to keep the file so it can be submitted to Symantec and then test the new definition file can clean it when they give it to you. Also, it’s worth holding onto for awhile in case it happened to be a legitimate program (which I’ve yet to see).

7. To kill the process remotely, you need the PSKILL utility and the Process ID (PID) from the list from Step 2.

8. From a command prompt: PSKILL –t \\computer-name PID#

9. Verify that the Process has stopped then delete the file. If it turns out the file is still needed, you have a copy zipped up on your system from step

10. Submit it to Symantec by filling out this form on Symantec's website. If Virustotal.com indicates it’s a known virus to other Antivirus companies then I include that information in the Symptoms field at the bottom of the web form.

11. After submitting it, print out the page with the submission details and tracking number. There's no way to look this information up again until the email notification arrives in your inbox. Remember to hold onto your copy the malware until Symantec has created a definition file to detect and eliminate it.

12. Once the new definition file arrives, scan the archive file with SEP to ensure it correctly catches and removes the file from the ZIP. If SEP still fails to clean it, open a ticket with Symantec.

Comments 7 CommentsJump to latest comment

Jobert's picture

thanks for his good post..
you got my vote...
but wait , do you also have other apps or tools that we may use as well?
thanks...

+1
Login to vote
Bored Silly's picture

I appreciate the kind words.  I'm glad it could be of some use to you.  As for additional tools, my recent favorite can be used to remotely determine which process an infected DLL is in use by.  It's included in the Windows OS and I completely forgot it was there.  It's tasklist.

tasklist /M * /S remote_computer_name >c:\results.txt   (This will dump out all the processes running remotely on a computer and list all the DLL's used by each process into a file on the root of your C drive.  I open it with Notepad and do a find for the name of the DLL.  

If I'm local to a system I use the following tools to help find the infected process: 
Process Monitor (technet.microsoft.com/en-us/sysinternals/bb896645.aspx)
Process Explorer (technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
File Monitor (technet.microsoft.com/en-us/sysinternals/bb896642.aspx)
The Netstat command (included in WIndows) to see which ports are being used and which Process ID is using them -  netstat -ano

If I'm remote I use the PS Tools suite and the Tasklist command: (http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx) but mainly pslist -s \\computer_name

There are more but I'm drawing a blank.  I'll update the list when the coffee finally fully kicks in. :)

+1
Login to vote
Nel Ramos's picture

these steps are part of my daily regiment for zero virus attacks...
many thanks...

Nel Ramos

0
Login to vote
Bijay.Swain's picture

I don't agree.

After doing so many things to know the process of the threat and virus file and location .what we did is just submited the file to symantec and wait. what if they take 2 to 3 days to update the defination for that virus .what should we do till then . should we wait only or do something to prevent other systems from beinfected by those virus.

0
Login to vote
Bijay.Swain's picture

I don't agree.

After doing so many things to know the process of the threat and virus file and location .what we did is just submited the file to symantec and wait. what if they take 2 to 3 days to update the defination for that virus .what should we do till then . should we wait only or do something to prevent other systems from beinfected by those virus.

that is called zero day protection

0
Login to vote
Bored Silly's picture

If you submit the malicious code, you will normally have access to the fix by the end of the day or the beginning of the next.  The last time it took them two to three days to get me a fix was fall of 2003.  If you submit the malware at submit.symantec.com/websubmit/platinum.cgi and the new definition file created by this submission doesn't work, THEN you open up a ticket.  Note: I've never seen this scenario happen yet. 

Also, if you have an outbreak (several systems with the same zero-day infection), then you can script the PSKILL and deletion of the malware to run against the infected systems.   I would still do it manually unless it is over a dozen boxes because it will take that long to write and perfect the script.  

0
Login to vote
riva11's picture

In case of infected computer, the best thing is detach this pc from the network. In this way you have limited as much as possible, the propagation for this virus attack.

Regards,
Paolo

+3
Login to vote