Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: best practice for responding to unknown virus

  1. #1

    best practice for responding to unknown virus

    hi
    what is your best practice that you use for responding to suspected unknown virus
    that your AV software cannot detect (maybe the signature is not out yet)?
    For example, you see that something strange happens to your computer and that
    the AV software (updated with virus dats) did not flag out any alerts. What do you normally do after that? I suppose the first step , for paranoid people is to plug out the LAN cable..:-)

    thanks

  2. #2
    Um, send it in for an updated signature?
    How about this... fix it, forget it, and move on to the next loser.

    Blah blah blah... the end.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hello ghostmachine

    The best method is defence......................

    Please use this:

    http://www.diamondcs.com.au/index.php?page=regprot

    It is free for both commercial and private users.............hey, I cannot do better than that?

    Most of this crap wants to alter the Registry?

    Don't let it..........just put a 9mm Parabellum SJSWCHP through the back of my mate Spesh's head, and we will be even ..............168 grain?


  4. #4
    Atleast there is a good chance you'd catch me on an off day when im upset about something... like not getting laid.

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    like not getting laid.
    Eggs get "laid"...................as you come from a Southern State, I shall cut you some slack, and hope that you meant "layed"


  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    I dunno why you're busting his balls. He's not asking 1337 hax0r questions like, "How do I find CS hacks?"

    Now for your answer.

    If you suspect a virus/worm/bot, the first thing to do is review all running processes and map them to apps/services that you know should be there.

    Next, if you see a process that looks unusual, DON'T kill it right away. First see if it's doing anything over the wire. Fire up TCPView and see if the process is responsible for connections being spawned or established sessions.

    If you see an established session, fire up a sniffer and watch the conversation. Most bots will respawn if you kill the process, so once you have your sniffer set, kill the process and watch the initial connection. You will receive a wealth of info from it. This is one way to get credentials to a C&C botnet IRC server.

    There will be variations on the above but the basic steps are the same. Once you identify the problem process, and you have a wealth of info gathered, the next stop should be virus total or the norman sandbox. Submit your sample and see if other vendors have identified it. If so, you can get removal instructions from them.

    Last, submit the sample along with your collected data to your vendor. Don't forget to bitch about how they aren't doing a good job.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    thehorse13 : as always that sounds intriguingly interesting to me. I have no experience in virus prevention/removal/hunting other than using tools that are out there. that and my experience with blaster. What tools do you use other than TCPView? Do you have any tuts written up on this? whats it gonna cost me to steal this information from you? and as I dig into this more is it possible for me to get a sample virus I can fire up on a test network and test this with? you can pm me or whatever. Thanks
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    You might want to look this over to see how I investigate malware.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Rule One: Prevent any possability of the malware infecting any other production systems..
    if it is connected to a network remove it immediatly.. if your wanting to play with such a pet do so with in a DMZ..

    I may sound like a panic merchant.. and by the time it is realised that the system is infected the chances are that ithe malware will have already spread.. I would recommend to Isolate as the very first precaution.. figure out what you have then deal with the rest of the network
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    may sound like a panic merchant.. and by the time it is realised that the system is infected the chances are that ithe malware will have already spread.. I would recommend to Isolate as the very first precaution.. figure out what you have then deal with the rest of the network
    I favor this process if you don't want to pursue litigation or aprehension of the guilty slime. In my case, I never let the slime know that I'm on to them until someone is busting down their door with a search warrant.

    Spyrus, I will put together a tut on this. Tiger has done a fine job at it already. Mine will deal with several additional tools like system snapshot tools used to see everything that a virus/worm does to a host. We do this with captured samples that are not in AV sigs. Many times our reported write-ups get the ol' COPY>PASTE into the vendor's detailed description.

    Anyway, I have a toolbox full of goodies and I will get a tut posted on the topic soon.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •