Planning Your Response

Published: July 10, 2007

Planning cannot be considered complete until you have planned for the worst. If all your defenses are compromised by an attack, you need to ensure that the staff you work with know what to do. Your ability to mount a rapid response can make a big difference when an attack is severe.

As you plan your response, it is important to understand that overreacting to a malware problem can cause almost as much disruption as dealing with a real outbreak! Plan your response to be rapid but measured to minimize its effect on coworkers.

Create an Incident Response Plan

Creating an incident response plan that describes what should happen in the event of a suspected malware outbreak is an important preparation step for your organization. The plan should help instruct all affected staff on the best course of action when a malware outbreak occurs. It should aim to minimize the impact of the attack and communicate a documented incident response process that staff can follow. For example, a well-designed plan would be capable of managing the sequence of events for a typical incident such as the following:

1. A staff member calls an in-house support resource after noticing something strange appear on her computer screen.
2. The support resource checks the computer and calls a support number.
3. A support technician responds to complete a short diagnostic test, and then either cleans or rebuilds the system depending in the severity of the problem.

The entire response process could take hours to complete, so having a plan in place that helps minimize the risk of the malware spreading further until the process is complete is important. For example, if the support resource is trained to run antivirus software on the computer and then remove the network cable from the suspect computer until a support technician arrives, this initial response eliminates the chance of the computer infecting other computers.

When planning your incident response plan, there are typically two scenarios that you need to consider:

• Individual infection. This scenario, which is by far the most common, occurs when malware infects a single computer.
• Mass outbreak. This scenario is thankfully much less common. A mass outbreak has the potential to cause serious disruption in the organization. Typically this scenario will only become apparent after the staff reports a number of individual infections that have similar symptoms.

Your incident response plan can cover both of these scenarios because the response process for an outbreak is an extension of the response to an individual infection. Typically the outbreak response will require you to temporarily isolate the organization's network to stop the attack from spreading further, and to give the support staff time to clean the infected systems. In some cases, it may be necessary to notify the network administrator or the person performing that role to change the firewall or router settings before the computers in the organization can be reconnected to the network. For example, if the malware uses a specific network port to infect computers, blocking this port at the firewall can prevent re-infection while allowing other network communications to continue.

 Important   If you still detect the presence of malware after using the kit to clean your computer, we recommend turning the computer off and not using it for five to 10 business days, or until your antivirus provider issues a virus signature update. You can then use the kit to download the latest signature files and rescan your computer to more effectively address the problem.

For more information about how to organize and develop an incident response plan, see the following resources:

• The Antivirus Defense-in-Depth Guide.
• The Responding to IT Security Incidents page on Microsoft TechNet.
• Chapter 3, "Understanding the Security Risk Management Discipline" of the Securing Windows 2000 Server Guide for incident response information only.
• The Service Management Functions Incident Management section of the Microsoft Operations Framework (MOF).
• The Windows Security Resource Kit, Second Edition from Microsoft Press.

Prepare a Kit for Offline Scanning

This section provides recommendations, support specifications, and a short set of tasks and instructions that you can use to prepare a Windows Preinstallation Environment (Windows PE) kit. You can then combine the kit with a set of tools to conduct offline scans for malware on the computers in your organization.

Windows PE provides powerful preparation and installation tools for Windows operating systems. With Windows PE, you can start Windows from a removable disk, which provides resources to troubleshoot Windows on the client computer. For more information about Windows PE, download the Windows Preinstallation Environment Technical Overview.

Unsupported Tools and Technologies

Windows PE does not support the following tools and technologies:

• Internet Explorer® 7.
• Applications that use Microsoft Windows Installer (.msi files).

Prerequisites

The following are operating system and feature requirements for preparing a Windows PE kit:

• Windows Vista® or Windows XP® with Service Pack 2 (SP2).
• DVD burner and software to write to a CD-ROM.

• 992 MB of free space on the computer's hard drive disk to download the Windows PE .img file.

   Note   An additional 800 MB of space is required for the boot image on drive C of the computer when using the default script for the kit.

• Microsoft .NET Framework version 2.0 and MSXML to run Windows Installer.

You can use the following resources to meet these requirements:

• Microsoft .NET Framework Version 2.0 Redistributable Package (x86).
• Microsoft Core XML Services (MSXML) 6.0.

For more information about 32-bit and 64-bit system requirements, see the:

• Windows Preinstallation Environment Overview.

Task Overview

Complete the following tasks to prepare your Malware Removal Starter Kit to conduct offline scans:

• Task 1: Install the Windows Automated Installation Kit (AIK)
• Task 2: Download the malware-scanning tools and utilities
• Task 3: Create the Malware Removal Starter Kit CD-ROM
• Task 4: Use the Malware Removal Starter Kit to scan your computer

Task 1: Install the Windows Automated Installation Kit (AIK)

The first task in this process is to obtain the Windows Automated Installation Kit (AIK). This kit includes Windows PE and other files for you to install on your computer. The kit installs by default as an image (*.img) file on any system drive that you choose.

 Note   The AIK supports both Windows Vista and Windows XP SP2.

To install the AIK on your computer:

1. Download the AIK from the Windows Automated Installation Kit (AIK) page on the Microsoft Download Center.

    Note   The size of .img file for the AIK is 992 megabytes (MB). For this reason, you may require extended time to download the file, depending on your connection speed to the Microsoft Download Center.

2. Burn the .img file for the AIK to a DVD.

    Note   If your DVD-burning software does not recognize ".img" files, in the Save As dialog for the download, expand the Save as type drop-down list, change the file type to All Files and the file name extension from .img to .iso and then retry burning the information to a DVD.

3. On the AIK DVD that you created, double-click StartCD.exe to install the AIK on your computer.

Task 2: Download the Malware-Scanning Tools and Utilities

You will need to identify the tools that you want to use with Windows PE to perform malware scans on your computer. Windows PE does not support tools that use .msi packages to install on your computer. In addition, the amount of random access memory (RAM) on your computer can constrain what scanning tools you can use.

There are a number of anti-malware tools available for free that require no installation that you can run as program files in the Windows PE environment. You can also run these tools from a USB device.

Download the malware-scanning tools that you want to use to a temporary location on your computer.

 Important   Some anti-malware tools require network access to run. For this reason, only use anti-malware tools that are available to use offline when you use this guidance to create your Malware Removal Starter Kit CD-ROM. We recommend reading the installation instructions for all of the offline scanning tools that you choose to use. Some tools may not be compatible with all Windows operating systems.

At the time this guidance was written, the following tools ran with Windows PE on a computer running Windows XP SP2 or Windows Vista with at least 512 MB of RAM:

• avast! Virus Cleaner from Alwil Software. This tool is available for offline use. The signature files for the tool will be as current as the download date listed.
• McAfee AVERT Stinger, a stand-alone virus scanner from McAfee. This tool is available for offline use. The signature files for the tool will be as current as the download date listed.
• Malicious Software Removal Tool from Microsoft. This tool is available for offline use. The signature files for the tool will be as current as the download date listed.

• Spybot - Search & Destroy from Spybot Search and Destroy.

   Note   Before you can use this tool, you must first install it on the computer you want to scan, and then download the latest signature file detection updates from Spybot. After the tool is installed, it will start by default from X:\Program Files\Spybot – Search & Destroy\spybotsd unless you specified a different path during the installation. The signature files for the tool will be as current as the download date listed. For more information about using this tool, see the Tutorial page of the Spybot Web site.

The following utilities are designed to help you manage your computer while you are in the process of removing malware from it:

• Drive Manager from the Freeware Utilities by Alex Nolan Web site. This tool identifies different drive types, such as hard drives, CD/DVD drives, USB drives, network drives, and lists their properties for analysis. This tool is available for offline use.
• System Spec from the Freeware Utilities by Alex Nolan Web site provides information about the current hardware on the computer. This tool may be useful if you are required to provide detailed information about the hardware while the computer is being serviced. This tool is available for offline use.

Task 3: Create the Malware Removal Starter Kit CD-ROM

Creating the Malware Removal Starter Kit CD-ROM requires you to produce a Windows PE image for the kit, modify the base Windows PE image by adding the tools to it, change the size of the disk cache to provide some additional space for RAM, and then build an .iso image file to burn the changed image to a CD-ROM. Periodically, you will need to download the latest virus signature updates for the offline scanning tools on the CD-ROM to keep them as effective as possible to detect malware.

 Important   After you start creating the Windows PE image, it is important to complete all of the steps in this task without interruption. If you have already downloaded the tools you plan to use, this process should take about 30 minutes to complete, depending on your system's performance and if you follow the steps in this task exactly as prescribed. You will need about 800 MB of free space on your C drive to complete this procedure. Ensure that you update all drive letter references as needed.

To create the Malware Removal Starter Kit CD-ROM:

1. Log on to the computer as an administrator, click Start, click All Programs, click Microsoft Windows AIK, and then click Windows PE Tools Command Prompt.

    Note   This step applies to Windows XP. If you are running Windows Vista on your computer, right-click Windows PE Tools Command Prompt, click Run as administrator, and then click Continue.

2. At the command prompt, type the following and then press ENTER to create a copy of the x86 image of Windows PE and set up a working folder directory on your computer:copype x86 c:\WinPE
3. At the command prompt in the new directory c:\WinPE, type the following and then press ENTER to mount the WinPE.wim image so that you can change it:imagex /mountrw winpe.wim 1 c:\WinPE\Mount
4. At the command prompt, type the following and then press ENTER to access the following registry subkey:reg load HKLM\_WinPE_SYSTEM c:\WinPE\Mount\windows\system32\config\system
5. At the command prompt, type the following and then press ENTER to create a 96 MB disk cache of RAM:reg add HKLM\_WinPE_SYSTEM\ControlSet001\Services\FBWF /v WinPECacheThreshold /t REG_DWORD /d 96 /f
6. At the command prompt, type the following and then press ENTER to exit this registry key:reg unload HKLM\_WinPE_SYSTEM
7. Create a directory for the malware-scanning tools under the Mount folder (for example, you could use the name “Tools” for this folder).mkdir c:\WinPE\mount\Tools
8. Copy the tool files that you downloaded in Task 2 to the tools directory that you just created. Example:copy <tools from the Task 2 directory> c:\WinPE\mount\Tools.
9. At the command prompt, type the following, press ENTER, and then type Yes and press ENTER again to continue the process:peimg /prep c:\WinPE\Mount
10. At the command prompt, type the following and then press ENTER to save your changes:imagex /unmount c:\WinPE\Mount /commit
11. At the command prompt, copy the following, press ENTER, and then type Yes to overwrite the existing file:copy c:\WinPE\WinPE.wim c:\winpe\ISO\sources\boot.wim
12. At the command prompt, type the following and then press ENTER to create an .iso file of the Windows PE image:oscdimg -n -bc:\WinPE\etfsboot.com c:\WinPE\ISO c:\WinPE\WinPE_Tools.iso

13. Burn the .iso file located at c:\WinPE\WinPE_Tools.iso to a CD-ROM and test the Windows PE image to verify that it runs all of the malware-scanning tools correctly.

     Note   You also can use Microsoft Virtual PC 2007 to test the image.

The CD-ROM for your Malware Removal Starter Kit is now ready. If you require more frequent virus signature updates for your environment, we recommend maintaining the scanning tools you choose to use on a USB device to obtain the latest updates.

Task 4: Use the Malware Removal Starter Kit to Scan Your Computer

Now you are ready to use the Windows PE image and the tools you selected to scan your computer for malware.

To use the Windows PE CD-ROM and tools to scan your computer:

1. Place the new CD-ROM in the computer’s CD drive or DVD drive and then ensure that you start the computer from this drive according to your computer's startup order.Option: Insert the USB device in a slot on the computer to ensure that the device is loaded when you start the operating system.

    Note   For more information about starting your computer from a Windows PE CD-ROM startup disk, see the Windows Preinstallation Environment Overview on Microsoft.com. This resource provides information about configuring your basic input/output system (BIOS) settings for the startup order of the computer, and other BIOS settings that may prevent you from starting the computer from the CD drive.

2. Run the malware-scanning tools that you selected. If you used the default configuration information in Task 3 to build the Windows PE image, you will find the tools located at X:\Tools. You can run the listed tools by typing the name of the program file for each one at the command prompt.Option: If you inserted a USB device to provide updated signatures or tools, and you are unsure of the drive letter that the USB device is using, you can determine the drive letter using Drive Manager, which is located at X:\Tools.

    Note   To run Spybot, refer to Spybot's installation instructions, and ensure that the definition program file runs after you install this tool on the computer.

 Caution   Running malware-scanning tools on an infected computer may damage the computer's ability to start properly. If key boot files are infected by malware, the cleaning process may prevent the operating system from working. For this reason, it is important to regularly back up all important information files on your computer. In addition, after restoring these files to the computer from your backup resource, we recommend rescanning the computer to detect any malware that may be present in your backup files.