Malware Infection Recovery Guide

Number: TR11-001
Date: 09 November 2011

Audience

This report is intended for organizations within federal, provincial/territorial and municipal governments; critical infrastructure; and other related industries that may have computer systems affected by malicious code.

Purpose

The purpose of this product is to provide guidance on how to recover from computer system infection by malicious software code such as rootkits.

Assessment

Operating a computer system connected to the Internet exposes its integrity and the confidentially of its data to inevitable risks. Although several mitigation measures significantly reduce such risks, vulnerabilities always remain, and can be successfully exploited by malicious actors. Every day, thousands of Internet-accessible computers are compromised and used to steal personal information such as credit cards and banking information, and corporate intellectual property. They are also sometimes used to further distribute malicious code to infect additional computer systems.

As users become aware that a computer system may be infected, either through symptoms such as poor performance or high-bandwidth consumption or through notification by a trusted third party such as the upstream ISP, being confronted with the task of recovery may be daunting.

The following steps may help recovery from a malicious code infection. Unfortunately, given the diversity of computer system configurations and the evolving malicious code detection evasion and persistence tactics, accounting for every possible situation is prohibitive in this document.

1. Reporting to IT Security / Service Desk: If you are in a corporate environment or have an IM/IT service support contract, notify the service provider at the earliest opportunity and follow their instructions.

2. Disconnecting the computer from the Internet: Depending on what type of malware is affecting the system, malicious actors may have access to the data stored on the computer and may be using it against others. Disconnecting the computer from the network will prevent further spread of malicious code and make information on the computer inaccessible from the Internet. The simplest way to disconnect the computer is to physically disconnect the cable or phone line from the back of the computer or laptop, as well as ensuring all Wireless connections (e.g. WiFi, HSPA, Bluetooth) are also disconnected or disabled.

3. Backing up important files: Prior to attempting any repair, important files should be copied onto an alternate storage media such as a CD, DVD, USB key or external hard-drive. Files to consider include photos, videos, email folders, documents and Internet favourites. These files cannot be trusted and will require scanning prior to being reloaded onto any other computer systems. If you already regularly perform backups on a separate system, these may also have been infected. Backup files should also be scanned for infected items.

4. Scanning the computer: A number of tools exist to scan a computer file system to identify and remove malicious code. Unfortunately, there are even more scanning tools available that are malware themselves. Those are known as FakeAV, FakeAlert, etc. Therefore, it is imperative when proceeding with recovery steps that trusted tools (CDs, USBs, software, etc.) be used to avoid exacerbating an already complex problem. If software is used, it should be obtained from a trusted source and used on a different computer for download other than the infected machine. Major antivirus companies often offer a free scanning engine, which can be used to detect and remove certain infections. Microsoft provides a list of reputable antivirus products for Windows-based systems at the following site:

http://www.microsoft.com/windows/antivirus-partners/windows-xp.aspx

When downloading a scanning tool, ensure it is obtained from a trusted source, using a non-infected Internet-connected computer, and that it includes the latest definition/signature files. Some of these tools may require starting the computer in “safe-mode” prior to running the scan.

The system should ideally be scanned using a live-CD, rescue-CD, or trusted bootable USB Operating System. Recovery tools from the computer manufacturer and operating system vendor can be used as well. Once the scanning tool is ready and the infected computer drive is mounted, run a scan and enabling the appropriate features and options such as the level of sensitivity and the inclusion of Boot sectors in the scan. If detection occurs, follow the removal instructions provided by the scanning tool.

Some of the most persistent viruses infect the Master Boot Record (MBR) of the computer. The MBR is a hard-drive space accessed by the computer at start-up before the Operating System is loaded. In such cases, even after successful removal of some malicious code, the infection may constantly reappear. Some antivirus tools are capable of restoring the MBR. Otherwise, operating system vendors such as Microsoft have tools that may be helpful. These include the Microsoft Recovery Console which has a fixmbr option.

5. Reinstalling the operating system: If the scanning is not successful in detecting and removing the malicious code, the affected hard-drive may require formatting and reinstallation of the operating system. This corrective action will result in the loss of all existing programs and files. Before conducting the reinstallation, record programs and settings so that the system may be returned to its original condition. Again, it is important that the reinstallation fully removes all digital artefacts, including the MBR. Manually, this may involve performing the “format” and “fdisk” commands. In a corporate environment, simply re-imaging a host may not remove malicious code hiding in the MBR.

Removing malicious code from the MBR (Windows hosts):

A) Windows XP and earlier: Use the command fdisk /mbr following the instructions provided by this article accordingly:
http://support.microsoft.com/kb/69013

From a machine that is not infected, create a bootable disk following the instructions provided by this article accordingly:
http://support.microsoft.com/kb/305595

B) Windows Vista and Windows 7: Use bootrec.exe by following the instructions provided by this article accordingly:
http://support.microsoft.com/kb/927392/

Once the operating system is reinstalled, it is critical that an antivirus software be installed, and that patches and updates are applied.

6. Restoring backup files: Before copying the files from the storage media back onto the computer, use the antivirus software to completely scan the media.

7. Scanning and reviewing other network devices: Malicious codes often have replication features allowing them to copy themselves into network shares used by other computers of the network or directly infect them through other means. Malicious codes may also alter networking infrastructure configuration such as DNS and Firewall settings in routers and other devices. These devices are particularly vulnerable if they use default access control mechanisms such as manufacturer's default administrator account name and password, or if the previously compromised computer had a malicious code with a key logging capability and was used to access and configure such device. Removable media such as USB flash drives may also be infected and used to spread the malware between computers. Perform a scan of these devices and media using a reputable anti-virus product. Review the status and configuration of other network devices. Consider performing a periodic reboot and reset of the password of small-office / home-office routing equipment.

8. Applying and maintaining computer protection: To prevent future infections, consider the following precautions:

Additional resources are provided in the references below.

Suggested Action

CCIRC recommends that computer owners implement security best practices such as those mentioned above to help ensure their computer systems and associated infrastructure remain secure.

REFERENCES

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: