What are best practice forensics after finding IRC bot

Posted on 2007-10-12
Medium Priority
Last Modified: 2013-11-29
What are the best practices for followup to a bot removal?  I was called on site to a clients small busines and found a very simple IRC bot installed that launched on startup and made no attempt to conceal itself. I was able to locate it without a great deal of time and effort, it was installed in a folder in System32\ but the ease with which I could find and remove it lead me to ask if there is false sense of security since the system scans show no virus and the system is working as expected. I cleaned a  Storm Worm infected machine about two months ago and that was the most stubborn cleanup that I had seen in many years. With this one I deleted the folder and the registry entries and it was gone, just seemed too easy. The owner told me that he always ckill the applicaiton as soon as he booted up so I want to believe it never got past the immediate IRC logins.

In the properties of the executable the company name was 'GoHack, Inc.'

Question by:BrianDSy
LVL 32

Accepted Solution

r-k earned 400 total points
ID: 20069131
Here is my list of suggestions for a case like this:

(1) Examine all user accounts, disable or delete any accounts known to be fraudulent, then change passwords on all admin accounts, using at least 10 chars and avoid common names and words.
(2) Download RootkitRevealer (http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx) and do a scan. Post the log here if it shows anything suspect. If the log is very long then just post the first 30 lines or so. Be sure to save the log in any case.
(3) Download Autoruns from: http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
(a) Run the program. It lists a bunch of things that start when Windows starts.
(b) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.
(c) This will give you a shorter, more meaningful list.
(d) Post the log here if anything interesting.
(4) Run "netstat -ab" from a command prompt, save the output to a text file (e.g. "netstat -ab > list.txt") then copy-and-paste the list here. If you like you can just post the suspect entries, or replace your ip with xx.xx
(5) If you identify any files installed by the hacker, search the rest of your C: drive for any other files created/modified around that date and time. Also, rather than deleting files left behind by the hackers, move them to another disk or CD for possible later study.
(6) After things have been cleaned up, download and run MBSA from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx and do a scan and follow as many steps as reasonable.

Assisted Solution

msklizmantas earned 200 total points
ID: 20085576

imho it doesn't matter what you find - the best practice is to reinstall workstation. of course, make images before doing it and then analyse with some forensic toolkit to understand how that software got there in the first place.


LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 400 total points
ID: 20246067
A tool no admin should be without are USB(and or firewire) drive adapters like these:

Take the HD out of the PC, place in/onto the USB adapter, scan the drive using updated AV tools and spyware tools. This will assure you that no root-kit is messing with your results, and you can easily scan files that may have been protected or hiden while the HD was running the OS.
There are IDE and SATA drive adapters (laptop and pc style) for a very low price, and they help assure your results are accurate.
When you do find spyware/viri on a PC running winME or XP Pro, the following page describes some other best practices to follow: http://www.xinn.org/annoyance_spy-ware.html

You should likely reinstall from scratch or image if you do find something big like a root-kit, some mal-ware as well.

Author Comment

ID: 20528134
It's hard to rate any of these as the ultimate solution, since I need to maintain a balance between the users freedom of choice in a small office and budget choices about offline storage. But after removing the registry keys that started the processes and restarting the machine I was able to remove the rest of the malware and run the System Restore function of windows using the boot CD. The first and last solutions are the best for the small business, the second one is an enterprise type solution. Resources in many of the small businesses I go to are stretched to the maximum.


Author Closing Comment

ID: 31408153
Thanks for the feedback. My clients happy. I feel like I got the job done. There have been no further issues.


Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question