ISO Consensus Paper: Cleaning Compromised Systems

Background

ISO Consensus papers present the expert security perspective of the Information Security Office staff at the University of Texas at Austin.

A compromised system is more than just a “hacked” computer. A compromised system can be used to attack other systems and is generally considered a threat to all other systems connected to a network. Besides being a threat, a compromised system can also be a liability, exposing many types of sensitive data, such as:

Social Security numbers (SSN)
credit card numbers (CC)
personal information, including passwords to a user’s bank account, e-mail and other online accounts

In an educational environment such as the University of Texas at Austin, a compromised system can be especially damaging because we store or process SSN and other protected student data. A single incident could cost hundreds of thousands of dollars in mitigation and notification, not to mention the bad publicity and impact on the alumni and donor communities.

The purpose of this paper is to provide best practices and recommendations when remediating compromised systems. The ISO has intentionally avoided creating a specific “how-to” document due to the number of possible scenarios that would need addressing, as well as the ongoing maintenance that would be required for the document to remain effective. Links and directions to more specific information are provided at the end of the document.

Definitions

Trojan Horse—A Trojan horse refers to a malicious program that enters a computer or system disguised or embedded within seemingly legitimate software. Once installed on a computer, a Trojan horse may delete files, transmit your personal information, reconfigure your computer, or even allow hackers to use your computer as a weapon against other computers on a network.
Keylogger—A hardware or software based tool that can be used for logging keyboard activity. It can be used for good or evil, but when talking about compromises, consider it evil.
Backdoor—In a computer system, a backdoor refers to an overlooked or hidden entry into a computer system. A backdoor allows a hacker or other unauthorized user to bypass a password requirement and to gain access to a computer.
Rootkit—Software that has the sole purpose of hiding itself and its activities from the standard operating system tools used by the user or administrator of a computer.

Major Points

There is only one sure way to secure a compromised computer: It is the opinion of the Information Security Office (ISO) that the only dependable way to secure a compromised system is to tear it down and rebuild, that is, format and reinstall from trusted media. Once a system has been compromised, nothing on the system can be trusted. System binaries, data, passwords, logs, and processes are all assumed to be untrustworthy and should be eliminated. Hopefully you will have reliable backups, as required by Sec. 1.1 in the Minimum Security Standards for Systems, and the backups have not been compromised.

Attempting a manual recovery of a compromised system: If you cannot rebuild the system from scratch and plan to manually remove the malicious code, please continue reading the ISO recommendations and observations that should be considered before connecting the compromised computer to the network.

Identifying the Compromise

Crime fighting toolkit

When attempting to locate malware on an infected computer, you will want to have a wide range tools at your disposal. You should have tools for:

rootkit detection
process and network activity
network sniffing
virus scanning
forensic examination
comparing md5 hashes of suspect binaries with known good binaries
virtualization software

When using tools that detect viruses or rootkits, it is recommended that you use software from multiple vendors. Doing this will provide greater coverage and produce a higher rate of detection.

Virtualization software is a critical element of your toolkit. It is especially useful when attempting to determine the possible damage that a particular piece of malware could cause by allowing you to purposefully infect a virtual machine and then collect data without any messy rebuilds. Simply shut down and restart your virtual machine and you’re ready for the next infection. It should be noted that intentionally infecting a computer, virtual or not, could produce undesirable results, infecting other hosts on the network. It is therefore recommended that this be done with extreme caution and only in a controlled, limited environment.

Your detection tools can’t be trusted

It is not uncommon for an infected computer to show no visible signs of compromise. Rootkit creators use various techniques, which are constantly changing and evolving, creating an “arms race” between good and evil. Techniques such as kernel hooking and process injection are two of the more common methods used by malware today. These techniques hide system information, such as running processes and network activity, from your administrative and detection tools. Replacing binaries, hidden files and alternate data streams (ADS) are also commonly used techniques. This is why the ISO ultimately recommends wiping out and rebuilding a system with a suspected compromise.

Recommendations/Observations

Once you have identified and removed the compromise, there are some steps you should take to ensure that the machine is protected from further exposure. This is particularly important if you are manually removing compromised code.

Change your passwords

After a compromise, be sure to immediately change all your passwords on all related trusted systems. Attackers commonly use passwords obtained from compromised systems to gain access to new systems. This is especially important if you are like many people and use the same password for different accounts. It is in your best interest not to use the same password for different accounts.

Harden your system

As you are eliminating the malicious code, it is a good opportunity to harden the compromised system to prevent future attacks.

Fortunately, following a common set of security best practices will be beneficial, while simplifying and ensuring the appropriate security controls are in place for all of your IT resources. These best practices can include a few of the basic tasks such as shutting down unnecessary services, running a host-based firewall, anti-virus software and operating system security patches. When dealing with systems that provide application services to other computers, you should also consider the service itself. This means taking the necessary steps to secure a specific service, such as a Web server or a database.

Before you reconnect to the campus network with the system that was compromised, be sure that you are in compliance with all policies and standards. The university offers a set of specific security standards that must be considered before placing a computer on the network. These standards should help administrators determine what level of security granularity will be required for data protection.

Acceptable Use Policy

Data Classification Standard

Minimum Security Standards for Systems

Links

http://www.rkdetector.com/

http://www.rootkit.com - missing

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer… - missing

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

http://www.cert.org/tech_tips/unix_security_checklist2.0.html - missing

http://www.securityfocus.com/infocus/1504

http://security.utexas.edu/personal/

http://security.utexas.edu/admin/

http://en.wikipedia.org/wiki/Password_strength