S 6.23 Procedures in the event of malware

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User, Administrator

Codes of conduct for the user

When an IT system becomes infected with malware or it is suspected that the system is infected, then it is especially important to keep calm. Panic or hasty action is often the cause of the damage in the first place or can even increase the damage already caused. The top priority, though, is to prevent the malware from spreading further.

In addition to the detection and reporting of malware by the virus protection program, the following can also indicate an infection with malware:

frequent program crashes
unexplainable system response
unexplainable error messages
use of unknown services
unexpected accesses to the network
unexplainable changes to the contents of files
a constantly decreasing amount of free storage space even though nothing has been stored
the sending of e-mails automatically without any user interaction
lost files
the inability to access individual drives or data media
problems when booting the PC
unexplainable changes to icons
problems when editing or saving files

It should be noted in this case that these problems do not necessarily indicate a malware infection only. The effects listed above could also be a sign of hardware or software errors, and the causes need to be examined closely for this reason.

Users must immediately report any discoveries (or suspicions) of malware. The users should be provided with a general alarm centre for this purpose (e.g. with a user help desk, Support department, or something similar). Additional information on this subject can be found in S 2.158 Reporting infections of malware.

When an infection of malware is detected or suspected, the user should stop working on the IT system and wait for further instructions from the central contact person.

Codes of conduct for the contact person responsible for malware

All of the further actions described in the following should be initiated and executed by the contact person responsible.

Until the facts of the matter have been clarified, the affected IT system should be disconnected first from all data networks. If the affected system is able to communicate wirelessly, then it must be switched off immediately because there is no other way to quickly and effectively separate it from the wireless data network.

Uncoordinated action in the event of an infection often causes even greater damage. For this reason, the person responsible for eliminating the malware from the system should be well trained. When in doubt, it is always better to consult another expert. It may be less expensive in the long run to consult an expert in spite of the potentially high service fees than to try to eliminate the damage caused by incorrect action after the fact.

The primary goal should be to prevent the malware from spreading further. The following safeguards must be implemented for this purpose:

notification of the employees
notification of external personnel/business partners, if necessary
deactivation of IT systems or certain services, if necessary
retention of evidence
elimination of the malware
determination of the source of the malware

Virus protection programs can automatically remove the infections detected under some circumstances. The infected files are "cleaned" in this case, which means the files are restored to their original states. Whether or not this is possible depends on the type of malware found, among other things, since some malware is also able to overwrite data or code areas. Autonomous malware can generally be removed by the virus protection program in this manner. Alternatively, the infected files may be placed in a quarantined area for closer inspection later on, if necessary.

Procedure when an infection is detected

An IT system suspected of being infected with malware may not be used productively until it is guaranteed that all malware has been successfully removed.

If an infection is detected, then the IT system should be started (booted) from a system or boot data medium that is free from malware. Corresponding CD-ROMs can be created using various virus protection programs. Boot CD-ROMs with pre-installed Unix/Linux operating systems and fully operational virus protection programs are also available for such emergencies. A correspondingly prepared USB stick can also be used as an alternative.

Furthermore, the IT system must be scanned with at least one fully updated virus protection program (with up-to-date program code and up-to-date malware signatures) to determine if any malware is actually present, and if so, what type of malware is present. Scanning the system with several different virus protection programs can increase the level of confidence. A log of the scan and its results should be recorded.

After that, the malware can be removed using a method that depends on the corresponding type of malware. Generally, the corresponding functions of the virus protection programs can be used for this purpose.

If automatic removal is impossible, then the website of the manufacturer of the virus protection program should be researched to determine if the malware can actually be completely removed. In most cases, the information provided by the manufacturer of the virus protection program will prove to be helpful. The method of operation of the malware discovered and method of elimination are usually described in detail on the website.

If the malware cannot be completely removed, then it is necessary to restore the system from a data backup (see S 6.32 Regular data backup) or to install a new system.

The hard disk(s) and all other data media potentially affected must be scanned again after the malware has been removed to ensure that the malware really has been completely removed. Subsequently, the boot sequence of the computer must be specified so that it is only possible to boot from the hard disk.

If the malware deleted or changed data that is still needed, then you must attempt to reconstruct the data from data backups (see S 6.32 Regular data backup), copies, or other reliable sources. Backup copies (see S 6.21 Backup copy of the software used), the original data media, or the web sites of trusted manufacturers can be used to restore the programs, for example.

All access codes and passwords used on the infected computers must be changed promptly to prevent misuse.

Determining the causes and analysing the damage

Finally, it should be attempted to determine the cause of the infection. If the original data media are discovered to be the source of the infection, then the manufacturer and the BSI should be informed. If the infection was caused by a file or an e-mail, then the author and/or sender of the file must be informed. If data was sent from an infected computer, then the recipients of this data also need to be informed (see S 2.158 Reporting infections of malware).

It is not only important to analyse the malware infection, but also to document it. This documentation and the analysis of the incident form the foundation for the subsequent revision of the security concept against malware, if necessary.

The overall goal is to enact effective countermeasures so that these types and similar types of incidents will not be repeated.

Review questions:

Are the IT systems infected with malware or suspected of being infected with malware immediately disconnected from all data networks?
Is a potentially infected IT system only used productively again once it is certain that all malware was removed successfully?
Are all access codes and passwords used on the infected computers changed promptly?
Are there suitable codes of conduct for users and experts for the procedure to follow in the event of malware?
Were the corresponding target groups informed in an appropriate manner of the procedures to follow in the event of malware?
Have the contact persons responsible been trained to react in the event of malware?
Is the knowledge gained from the analysis of malware incidents used to revise and update the security concept against malware?