How to investigate malware

Are you under the gun and faced with investigating malware on your internal network?  This page is dedicated to suggestions that will help you take a structured approach to identifying and removing the electronic contagion. 

What details do you have about the enigma?  For example, do you have the IP address of the infected host?  Do you have the time frame during which the suspicious event took place?  Knowing both of these details can dramatically shorten the investigation process.

Where can you look for details?  If you already know which host is infected and its physical location, we can skip this step.  If not, what central repository of logged data do you have?  Do you collect NetFlow, sFlow, or IPFIX from all your network devices to a central location? Search on the IP address of the host and determine the its physical location. 

Next, remove the user from the end system, but, if possible, AVOID turning the machine off.  Do shut down any unnecessary applications, especially the ones that tend to be chatty on the network. Return to the NetFlow and IPFIX collector and by filtering on the IP of the host and the time stamp of the incident, identify the related network traffic. When did this behavior first start?  Hopefully you have enough flow history saved to look back weeks or months.  By finding the first occurrence of the traffic, you can determine when the malware was installed.  When finished, save the profile for future reference as you may need this in order to try and find other machines on the network communicating in a similar way.  Perhaps they communicated to the same Internet hosts, used the same ports, etc.

Getting back to the infected machine, install WinPrefetchView on it.  NOTE: There are other applications out there that perform the same functions.  List the applications by install date.  Find any applications that were installed just prior to the first occurrence of the odd network traffic.  Does the last time the application ran correlate with the last time you saw the malware's network traffic?  This might provide more evidence that you have positively identified the malware. Check the process path, make a copy of the file and upload it to www.virustotal.com; this could give you additional information on the type of malware you are dealing with.

You can also check the history in the web browser to try and ascertain the URL the user visited when he or she first came in contact with the contagion.  These details also help when searching on other suspect computers.

Clearly, your incident response system for investigating malware is going to end up being an amalgamation of useful functions.  Make sure you have practiced using them and definitely make sure you are saving weeks, if not months, of flow data.