FSU

What is malware?

Malware seeks to execute code on platforms where it does not have permission to execute such code.

What is the fertile environment for malware?

To quote MF from page 193:

Given the number of vulnerabilities that exist in Microsoft applications, it is incumbent upon digital investigators to be aware that malicious code is not only found in executable files, but may be embedded in Microsoft Word or Excel files, or may be deliver through Web-based attacks involving ActiveX controls.

Characteristics of APTs using the highest quality malware

Following Kaspersky's excellent discussion of the high quality malware "ProjectSauron">:

Timestamping

Relational

Looking at email

Where do failures tend to occur?

MF lists these places to look on page 201:

Over the last few years, Adobe's Flash and PDF products have become the source of many observed security lapses, and Adobe has been slow to patch these products.

How to spot problems

Malware generally needs to communicate, and that need to communicate is a weak point that can often be observed — although some of the anti-forensics that are popping are showing that covert communication channels can be quite subtle.

The Aurora attacks, for instance, have been analyzed and found to use covert channels. McAfee published An Insight into the Aurora Communication Protocol in January of 2010 looking at the communication protocol used by Aurora. This revealed just sophisticated the command and control behind this attack was, and, in particular, the ability of the attacker to control the infected system at quite a fine level.

So look in network logs