: Response"> Security Step 4: Response By Jim Rapoza In 2001, Nimda and Code Red were the evil forces to be reckoned with. Today? They seem almost quaint in the face of malware such as rootkits.Indeed, if recovering from Nimda and Code Red was like cleaning up after some rowdy neighborhood kids had egged your house, then finding out that your business has been successfully compromised by a rootkit is like finding out that your identity has been stolen and that the thief has bugged your house and your phone lines and has had full run of your house when you werent home. So how should IT managers respond when they find that a rootkit has turned company systems into its own personal playground? Unfortunately, the best advice often is that which was given a company that was the subject of eWEEK Labs "Anatomy of a rootkit hack": Nuke it from space. In other words, take down the system on which the rootkit has been implanted and rebuild it from scratch. (The company eWEEK Labs profiled chose, not surprisingly, to remain anonymous.) But while it is possible to take down and rebuild a single system or server that has been infected with a rootkit, this usually isnt an option when the rootkit has had access to a number of vital company servers, systems and resources. Just as being infected with a rootkit is like having your identity stolen, the response is also similar in many ways: Everything that touched the infected system in any way, shape or form has to be considered suspect. And businesses will need to watch carefully for months, if not years, to make sure that there are no hidden or remaining effects from the rootkit invasion. When to pull the plug With most standard system in-fections, the first step once a problem has been detected is to pull the plug-literally. However, while this works fine when one system is involved, how do you pull the plug on an entire network? If the network in question is an internal corporate segment, then you should pull the plug on the entire segment. While this will cause a user outcry, it is vital to disconnect the affected systems from the Internet. When it comes to resources that cant be shut down-such as network segments including externally facing Web, database and application servers-it may be necessary to do what the company in the "Anatomy of a rootkit hack" article did: Intentionally poison your own DNS (Domain Name System) tables. This will mislead rootkit controllers about the location of affected systems. Once all potentially infected systems are isolated, you will need to find and remove the rootkit itself. Standard applications, such as anti-virus tools, will help here. However, you also should use specific rootkit detection programs, such as Microsofts Windows Sysinternals RootkitRevealer, that use cross-detection techniques to find rootkit-caused changes in a system. At this point, it is vital to trace any and all activity related to the rootkit infection. Indeed, the response should be "all hands on deck" for the company IT staff. Everything that could have been touched or seen by the rootkit-infected system needs to be checked, and all activity on the infected system needs to be studied, starting from the time of infection. The IT executive at the company profiled in the "Anatomy of a rootkit hack" did just that and found, to his dismay, that an IT staffer had used a domain administrator name and password on the rootkit- and keylogger-infected system. That security error gave attackers the keys to pretty much everything in that particular enterprise kingdom. The next step is to tap into your deepest, darkest fears. Imagine the shady underworld characters who now have detailed information on all your most vital passwords and access mechanisms, and what they can do with this info. Then, change everything: all passwords, user accounts, authentication systems-anything that could have been scanned or accessed by infected systems. If youve been thinking about upgrading your security, network and server infrastructure, you might as well do it now. Its a lot of work, but if the bad guys have even one password that still works, you could be going through this whole process again before you know it. The final step is to try to stop a rootkit infection from ever happening again. Its true there are some rootkits that are so sophisticated that they will evade all your security and anti-virus systems. But, in the majority of cases where a rootkit spreads, someone messed up along the way. Perhaps a user downloaded non-work-related programs to his or her corporate system. Or there were users who didnt follow good security practices and opened unexpected attachments in e-mail. A rootkit infection, and all the turmoil it causes, is a good opportunity to reiterate (or iterate, if you havent already) the importance of good security practices. Of course, there also may be a need to educate IT staff. But, in the end, theres no rest for the security weary. Like people who have been subject to identity theft, victims of rootkit infections can never be 100 percent sure that they got everything-that there isnt a little Trojan or another rootkit quietly hiding somewhere, waiting to strike again when the IT staffs guard is down. The only effective response is continuous vigilance. Best practices: Response
Disconnect infected systems immediately: Systems that have been infected by a rootkit or other intrusion mechanism should be disconnected from the network immediately; if entire network segments are in question, they should be quarantined as well.
Perform thorough cleaning: Remove rootkit files and any trojans, servers or other hacker programs from infected systems using updated anti-virus programs and specialized rootkit discovery applications; for more peace of mind, wipe infected systems and reinstall the operating system.
Get to the source: When a system is attacked, determine how the attack happened and scan through all system and network logs to find out if any other systems, networks or applications were potentially compromised.
Assume the worst: Change all passwords and authentication accounts that could have been accessed by a rootkit or other intruders; take the opportunity to patch and update core security and server systems.
Learn your lesson: Take steps to prevent a similar intrusions from happening again; revisit all corporate security practices and IT protocols for dealing with potentially compromised systems.
Next Page: Step 5: Vigilance
What did Code Red do that made it so horrifying to IT administrators? Basically, it defaced Web site home pages. Even Nimda, which was pretty destructive for its time, pales in comparison to rootkits, the main danger that security and IT administrators face today.