Useful Tips to Remove Malware from a Local Network

Last year, several South African companies’ systems were infiltrated by cyber-attackers. Many companies in South Africa are reported to have inadequate defenses and are highly vulnerable to cyber attacks. Here are some useful recommendations to remove malware from a local network put together by one of Risk Diversion's own Investigators.

 1.  Quarantine the network:

It is important to immediately disconnect the local network from the Internet once malware has been detected. This is to prevent further infection from an external source, or malware connecting to external sites.

 2.  Close all suspected ports:

Once the malware infecting the network has been identified, you should start blocking all ports used by the malware. There are various sources that can be used to determine which ports to close based on the malware identified. Submitting a sample for analysis or checking the malware hashes on sites such as VirusTotal can help you determine the type of malware that you are dealing with. Just to be safe, we recommend that you use a clean machine isolated from the network to close the ports.

 3.  Scan all computers:

Scan all of the computers with a trusted antivirus that has the latest database updates. In the case where some workstations do not have the latest updates, updates should be transferred and installed via removable media. If the antivirus cannot detect the malware infection, a sample should be sent to malware specialists for analysis.

To track down the malware’s executable files, one can look at several traits, such as network traffic (malware files usually generate a large amount of network traffic and also occupy a lot of system resources), Windows System folders, orin the System Registry to identify the start-up keys for the malware files.

 4. Quarantine infected computers

After scanning the computers with reputable malware removal tools, infected files should be detected and quarantined. You will then be able to safely remove all of the quarantined files. Always double check the quarantined files to avoid deleting important content.

 5.  Restart computers

After the files have been quarantined and deleted, restart the computers that have been infected and scan them again to make sure that all of the infected files have been removed.

 6.  Disable System Restore

In the case where some infected files ended up in the System Restore folders, it is necessary to temporarily disable System Restore and restart the computer to make sure the infected folders are removed.

 7.  Install a Firewall (if necessary)

If not already installed, install a firewall on the Internet gateway or on all workstations and configure it to block any ports used by malicious software(except for commonly used ports, such as port 80, which is used for normal internet connections).

 8.  Install Security Updates

To prevent future infections, make sure that the latest security updates, patches and service packs are installed on all workstations.

 9.  Change Passwords for Shared Resources

Some malware can spread to network shares whereas other types, such as Trojans, can intercept passwords. It is important to change passwords for shared network resources and important applications after a malware infection.

 10.  Reconnect Local Network and Internet Access

After ensuring all of the infected files have been removed, you can re-connect the computers to the local network and enable the Internet connection. Continued monitoring of network traffic is recommended in order to prevent re-occurrence of the event.