Microsoft Security Tool Kit: Compromised Systems

The software, tools, and information provided in the Security Took Kit can be used to install an up-to-date Windows system and to configure it so that it is less likely to be affected by known methods of attack or future attacks that exploit similar vulnerabilities. However, we know that some customers will have questions or concerns because their systems already have been—or may have been attacked by Nimda, SQLSlammer, or another piece of hostile software.

This page is intended to provide you with basic answers to four questions:

  • How can I know whether a malicious user or piece of hostile software has successfully attacked my system?
  • My system has been attacked; what should I do now?
  • How do I know if my network has been compromised?
  • How do I reinstall my software securely?


On This Page
  • Have I been attacked?
  • What do I do if I have been attacked?
  • How do I know if my network has been compromised?
  • How do I reinstall my software securely?

Have I been attacked?

The basic way to determine whether your system has been compromised is to scan it by using an up-to-date antivirus scanner. Scanners examine your system for signs of hostile software activity such as new or modified files, telltale signatures within files, and (in some cases) changed permissions. Scanners are more likely to detect hostile software than a malicious user; however, malicious users commonly install hostile software after compromising a system. Although no scanner can do a perfect job of detecting the effects of hostile software, particularly newly released software, antivirus product vendors stake their reputations on doing an effective job of detecting the effects of hostile software.

Of course, if you notice changes within your system that you cannot account for, such as new user accounts, executables, changed permissions, or shares that have suddenly opened up, you may want to investigate further, even if the antivirus software detects no infected files. Other symptoms might include high processor utilization with no open programs, constant network activity, or odd behavior of the user interface. Refer to the CERT Coordination Center's Intruder Detection Checklist for more information.

In addition to running antivirus software, you should also check the advisories posted by the CERT Coordination Center about hostile software and other incidents of Internet abuse. The CERT Coordination Center is funded by the U.S. Government to respond to Internet security incidents and provides Internet users with timely advice about how to respond.

Top of pageTop of page

What do I do if I have been attacked?

If you know that your system has been attacked by a malicious user or a piece of hostile software (hereafter referred to as "attacker"), you should refer to your organization's security policy to determine the correct course of action. Often, the first steps are not technical, but rather legal.

Before any other action is taken on the system, it should be physically removed from the network. Remove all network cables, modem connections, and wireless network interfaces. Removing network connectivity greatly reduces the attacker's ability to cause further damage, compromise the recovered system, and capture information about your recovery process. Depending on your organization's security policy, the next step may be to duplicate all data on the system to provide information for computer forensics and further legal action. This section focuses on recovering the system and will not describe the steps necessary to analyze the attack or gather evidence for legal purposes.

There are two basic methods for cleaning the system and bringing it back online: you can either attempt to remove the effects of the attack, or you can elect to reinstall your software and data from known good copies. Some antivirus products offer the option to "clean" the effects of hostile software by detecting and removing the changes that such software makes to your system. In addition, some tools have been made freely available to clean up or remove the effects of some of the more widely-publicized hostile software.

Although antivirus products may be effective in removing the effects of hostile software, there are some significant issues to consider:

  • Some hostile software is very complicated, and tools that attempt to clean up its effects might fail to address every change or effect.
  • Some hostile software (such as the Code Red and Nimda worms) expose an affected system to complete penetration. Anyone with network access to such a system can gain complete control and make any additional change that he or she wishes. Even if an antivirus product reliably eliminates the direct effects of the hostile software, it cannot detect or reverse changes that unauthorized users made while the system was exposed by the hostile software.
  • Even though your antivirus software vendor has released a new signature that will detect the virus and "clean" it, it might take several hours before the new signature can be downloaded. Because hostile software can be complicated and have multiple effects, it may take some time before your antivirus vendor has fully investigated a particular hostile program and released a signature file that can clean the program's effects completely.

All three of these issues support a decision to reformat the system drives and reinstall software on an affected system from a known good copy. The CERT Coordination Center guidelines for recovering from attack, posted at the CERT Coordination Center, recommend this choice.

The final choice of reformatting or reinstalling after attack is of course up to the system owner. If the severity of the attack to the system and its data is not great, or if the system is in a restricted environment and unlikely to have been subject to additional intrusion, cleaning the system may be the correct choice. Erasing the system and reinstalling the software and data, however, is always the conservative choice.

Top of pageTop of page

How do I know if my network has been compromised?

If you are running an intrusion detection package on your network, it should be able to detect the traffic generated by hostile software such as the Code Red or Nimda worms. If you don't have intrusion detection software, you should be guided by the status of the individual machines on your network. If any of them has been infected by hostile software, it's likely that it is attempting to find other machines to attack on your network. Only when all such infected machines have been removed or reinstalled and then secured to prevent future infection can you assume that your network is safe.

Top of pageTop of page

How do I reinstall my software securely?

The CERT Coordination Center document briefly discusses the need to reinstall software and data from trusted media and in a secure manner. Although the specifics of reinstalling will depend on your specific environment, software, and network configuration, the following are some general guidelines.

  1. Consider the possibility that your system could be re-infected during the reinstallation process. This result can happen if the installation process allows an un-patched or unsecured system to become operational on the network or if hostile software on the network can intervene during the reinstallation process.
  2. One safe approach is to install the software, including the operating system and applicable service packs and security patches, while the system is offline from the network. You should download the operating system's latest service pack and all critical updates released since that service pack. Place all those systems onto removable media that the target system can read, such as a CD-ROM. Then, perform the installation by using the original operating system CD-ROMs and the CD-ROM you created containing the latest patches. This process can be streamlined by slipstreaming the updates into the operating system setup files and creating a CD-ROM with those files. The Microsoft Security Tool Kit includes detailed instructions to put your system in a secure (locked down) configuration before you reattach it to the network.
  3. You might find yourself in a situation in which you can obtain only the required security updates from a network location. In this situation you must reduce your exposure to threats until you have downloaded and installed the updates. You should always perform the basic installation of the OS while not connected to the network. However if you must join a network to obtain additional updates, some basic precautions you should take prior to connecting to the network include:
    • Disable all file shares on your system.
    • Refrain from reading email on this system.
    • Use your browser to only download the fixes; avoid unnecessary browsing.
    • Disable Internet Information Services (IIS) and all other unnecessary services.
    • Consider removing IIS completely if this machine will not need IIS.
    • Re-enable IIS and the other services only after all the appropriate service packs and other updates have been applied.

Top of pageTop of page