1 of 1 people found this helpful
As you probably know Sality is real complex and it spreads over the network easily, so there are no much secrets besides the instructions provided on the .pdf file attached.
Answering directly your question "how to control sality outbreak on the network without causing any impact", I'd say this is something difficult. You will have to disconnect machines from the network in order to perform some procedures and also verify if there is a new variant still unknow to AV.
Also is normal when you get a W32/Sality outbreak that you have multiple variants in your company. Procedures below is what I think that might help you:
1. Block all of the URLs in your proxy/firewall described on this .PDF and also go to http://vil.nai.com, type Sality there and see if there are additional URLs used by this malware. Why? Just because Sality keeps connections to malware authors websites to download new variants.
2. Make sure that the following access protections rules are enbaled in your environment:
- Prevent IRC Communication (Anti-Virus Standard Protection)
- Ensure that the option to ‘Prevent McAfee Services from being stopped’ is enabled.
- Enable McAfee-specific options in the ‘Common Standard Protection’ rule categories
- Prevent modification of McAfee files and settings
- Prevent modification of McAfee Common Management Agent and settings
- Prevent modification of McAfee Scan Engine files and settings
- AV Standard Protection - Prevent remote creation of autorun files
- Prevent registry editor and task manager from being disabled
For workstations, web servers, database servers, etc I would really enable the additional AP rule named "Make all shares read-only". You cannot enable these rules in your file server since it would deny services to end users. However, users are supposed to use file servers to written data, they should not copy data to other users folders or servers like web, sql, etc. This rule will avoid new infectiosn of Sality and every other malware which spreads over the network.
3. Then I'd prepare a CD with the latest betadat plus virusscan command-line scanner so you can use these files for cleaning the affected machines.
4. Monitor the new dashboard and disconnect all of the "threat sources" from the network. Disconnect all of the threat sources from the network. On each machine perform the clean process described on the attached document (page 17). You can use the CD with a command liner scanner (step 3) if Sality has corrupted your AV. If there are servers on this list that you cannot disconnect them at this time, I'd start a full on-demand scan on this server so you can get it cleaned. If you cannot do a full on-demand due to CPU utilization, you can prepare a minor Scan on this server by scanning only:
- Memories for rootkits;
- process running
If this 'minor' scan is something that will affect your business, well, I'd do a super minor :-) scan that will scan only memories for rootkits and process running. It should clean the malware from the memory and will should make that this machine does not spread the malware by itself to remote machines.
5. If you have servers in your organization running a very old S.O. where there are no AV or there is an out-of date AV, I'd enable the "Scan network drives" option on the properties of the on-Access scanner of the workstations which usually access these servers.
6. If you see a machine showing up as 'threat source' of Sality in your dashboard and then you go there and disconnect it from the network, perform a full ODS and you see that all of the files were cleaned. Then you reboot it and after the reboot you perform another full scan just to make sure that the malware was really removed, but on this second full scan you see that there are lot sof files still infecteds and they are cleaned again, you probably have another variant on this machine. Usually this is a service/driver which is started by Sality during a reboot and then this new variant can infect files with the new code and also with an old code which is known by the AV. So on this case you will have to manually find out what's the new variant and then submit them to McAfee labs so you can receive an SED or a betadat with the solution. For all of the machines that you peform the clean process (disconnect, scan, reboot, scan), they should no longer appear in your dashboard as threat source anymore. If they do, one or more conditions might be true and you must review:
- On-access scanner has too many exclusions;
- On-Access scanner is being disabled;
- OAS is not configured properly;
- Your access protection rules are allowing that someone can stop your AV.
- There are a new variant along to the ones that your AV is saying that is being detected and cleaned.
7. Make sure that you have a least a daily on-demand scan in all machines of your environment set to scan at least memories for rootkits and process running (this scan should not take longer than 5 minutes) and a weekly full on-demand scan.
Note: All of the recommendations above were based in my own experience with this malware, while it should not something very easy to do, they were at least for me very effective.
Hope this helps.
1 of 1 people found this helpful
after step 3 and before step 4:
Step 3.5-) Import the quries attached to this thread in your ePO server and then create a new dashboard in ePO pointing to each query.
Thank you so much.... I really appreciate the detail you put into the write up...very grateful.
Although i have implemented a few of the measures, i still find the piece very useful. I was able to build up a proper guide to suit my environment based on your's....thanks a bunch...i will keep you posted as we make progress
no problem, good luck.