Malware Post-Mortem

To quote MF from page 193:
Given the number of vulnerabilities that exist in Microsoft applications, it is incumbent upon digital investigators to be aware that malicisiou code is not only found in executable files, but may be embedded in Microsoft Word or Excel files, or may be deliver through Web-based attacks involving ActiveX controls.

I have a friend right now who has a system chock-ful of Excel spreadsheets, some of which may well be infected, but it's less likely since his virus scanner is reporting them clean. (Virus scanners are at their strongest on such static file analysis.)

There has been a resurgence of Torpig/Mebroot around the net (in fact, it's the subject of today's campus IT security meeting), and it's entirely possible that he is a victim of this or another rootkit since none of his ordinary malware protection suites are detecting the problem...

So, how do we (cost effectively?) resolve my friend's problem?



Looking at email

Where do failures tend to occur?

MF lists these places to look on page 201:

In the last six months or so, Adobe's Flash and PDF products have become the source of many observed security lapses, and Adobe has been slow to patch these products.

How to spot problems

Malware generally needs to communicate, and that need to communicate is a weak point that can often be observed — although some of the anti-forensics that are popping are showing that covert communication channels can be quite subtle.

The recent Aurora attacks, for instance, have been analyzed and found to use covert channels. McAfee published An Insight into the Aurora Communication Protocol in January of 2010 looking at the communication protocol used by Aurora. This revealed just sophisticated the command and control behind this attack was, and, in particular, the ability of the attacker to control the infected system at quite a fine level.

So look in network logs