FSU

Malware Post-Mortem

To quote MF from page 193:
Given the number of vulnerabilities that exist in Microsoft applications, it is incumbent upon digital investigators to be aware that malicious code is not only found in executable files, but may be embedded in Microsoft Word or Excel files, or may be deliver through Web-based attacks involving ActiveX controls.

I had a friend who had a system chock-ful of Excel spreadsheets, some of which were possibly infected, but it was less likely since his virus scanner is reporting them clean. (Virus scanners are at their strongest on such static file analysis, but certainly not perfect. Running multiple scanners over the same static files can produce better results.)

There was a resurgence of Torpig/Mebroot around the net around the time of the problem, and it was entirely possible that he was a victim of this or another rootkit since none of his ordinary malware protection suites are detecting the problem...

So, how could we (cost effectively?) resolve my friend's problem?

Timestamping

Relational

Looking at email

Where do failures tend to occur?

MF lists these places to look on page 201:

In the last eighteen months or so, Adobe's Flash and PDF products have become the source of many observed security lapses, and Adobe has been slow to patch these products.

How to spot problems

Malware generally needs to communicate, and that need to communicate is a weak point that can often be observed — although some of the anti-forensics that are popping are showing that covert communication channels can be quite subtle.

The Aurora attacks, for instance, have been analyzed and found to use covert channels. McAfee published An Insight into the Aurora Communication Protocol in January of 2010 looking at the communication protocol used by Aurora. This revealed just sophisticated the command and control behind this attack was, and, in particular, the ability of the attacker to control the infected system at quite a fine level.

So look in network logs