This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Determining where malware came from

0

I can't find antivirus software that will tell me where malware came from once it's detected by a full scan. My current AV software is Microsoft Security Essentials and it just gives me the name of the malware, its location on my hard drive, and its threat level. What's the easiest way to figure out what website it came from? I was thinking I can determine when it was saved to my computer using the file manager or a command at the command line, then I can check a Wireshark log to see what was happening at that time. Is that really the easiest way?

asked 27 Sep '15, 16:30

Barry%20Pencil's gravatar image

Barry Pencil
6113
accept rate: 0%


One Answer:

1

Is that really the easiest way?

One option would be to get a malware scanner that is able to scan your network data streams (HTTP, HTTPS, POP3, IMAP, MAPI, whatever). HOWEVER Even then you will not be 100% safe. Often a new malware won't be detected by the current pattern database of all AV vendors, so the malware will slip through and it will be detected only days, weeks or months later by a disk scan after a pattern was developed.

An that's exactly the problem with network forensics. Malware can sit undetected on a system for weeks/months, so you would have to collect an store the whole network traffic for that period of time (several 100Gbyte or even Tbyte) and that's certainly impossible on a typical enduser PC/Laptop.

Sorry, I don't have a technical network forensic solution for your scenario, as I believe there exists none, at least not a feasible one.

What I usually do: Use a virtual machine for Internet access (Linux based, if possible), which I reset at every start. That way a possible malware infection has the least possible impact.

Regards
Kurt

answered 28 Sep '15, 01:05

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

It sounds like I could use one of those data stream scanners in addition to regular AV software. I was hoping to use just one product but maybe I'll use two if necessary. I found Snort and Suricata but I didn't download anything yet. I wish there was regular, popular AV software that did this.

(29 Sep '15, 08:11) Barry Pencil

It sounds like I could use one of those data stream scanners in addition to regular AV software.

That's usually part of every AV suite!

(29 Sep '15, 11:27) Kurt Knochner ♦

Let me rephrase what I want just in case I'm on the wrong path. My current AV software (Microsoft Security Essentials) doesn't notify me in real time of files that match virus definitions if they're not in a dangerous location, for example, if the file is in Temporary Internet Files, I won't be notified at the time of the infection. I will only be notified after a full scan, but at that time it's much harder to determine which website was the cause. So, I want software that will help me to determine where malware came from, even if the malware (anything that fits a malware definition) is headed to Temporary Internet Files.

In other words, I want everything that reaches my computer to be scanned and I want to know what website sent me anything that matches a malware definition.

(29 Sep '15, 15:44) Barry Pencil

O.K. one more time, in other words: AV software is not perfect! If you get hit by a totally unknown malware tomorrow, no AV software will detect that, no matter where you save that piece of data. So, that malware can sit undetected on your computer for days, weeks or even months until your AV vendor (and all other) learn about that new virus/trojan/whatever. Then they will update their pattern database and your scanner will find the malware on the disk. But then it's too late to figure out where it came from, because that information is gone, after weeks, months! It's a general technological problem/limit with no (simple) solution.

(29 Sep '15, 16:38) Kurt Knochner ♦

Yes, but if there IS a malware definition for something that reached my computer, I don't think I'm always notified. I want to be, even if the malware isn't executable.

A couple of days ago I did a full scan (I do them every few weeks) and Ransom:JS/Brolo.C was found. I have real-time protection turned on but I wasn't alerted to this malware in real time. Only after the full scan. It's in Temporary Internet Files.

Here's information on Ransom:JS/Brolo.C from Microsoft's website:

Alert level: Severe First detected by definition: 1.201.2067.0 Latest detected by definition: 1.201.2067.0 and higher First detected on: Jul 17, 2015 This entry was first published on: Oct 27, 2014 This entry was updated on: Sep 10, 2015

If something isn't detected because there's no malware definition, that's understandable. I'm not trying to fix that. I just want to be made aware of where malware came from IF there's a definition at the time it reaches my computer. Even if it's in Temporary Internet Files and can't hurt my computer, I still want to know what website sent it to me.

(29 Sep '15, 17:29) Barry Pencil

I just want to be made aware of where malware came from IF there's a definition at the time it reaches my computer.

EVERY decent AV suite is able to do that, apparently besides your tool. But maybe it's just a config issue!

(29 Sep '15, 19:30) Kurt Knochner ♦

I've heard that viruses in Temporary Internet Files aren't important, and it looked like I had one that was ignored by a real-time scan but maybe it wasn't. I'll have to wait for my next virus detection to know for sure. Maybe there wasn't a definition for my last virus until my full scan, or maybe I forgot about a real-time detection.

(01 Oct '15, 22:55) Barry Pencil
showing 5 of 7 show 2 more comments