I don't think this is possible, but I've been asked to see if there was a way to track down a worm that got into our network to see what system it originated from. Is there a way to do this? If so, what steps would I need to take?
Thanks,
John
John,
Here are some ideas that are based on what I have done to attempt to identify the first system that was infected by a worm. My success at this is mixed.
If you know the file name, registry keys, or any other artifact that the worm leaves behind, you could examine the suspect systems looking for time date stamps to locate the first system.
You may also want to check the Windows Event logs depending on how the worm spread, you may see some events that can be attributed to the worm (authentication success or failure, etc). Of course audit policy settings can limit what is logged.
By definition the worm would be jabbering on the network including out to the Internet, your firewall logs all connections, you retain the logs, and you know method that the worm uses to spread, you may be able to examine the firewall logs to find the first system that tried to spread the worm through the firewall to the Internet.
In any event if you have already cleaned the worm from your network congratulations! That's the part of Incident Response that everybody sees.
Hope this helps.
TonyC
I don't think this is possible, but I've been asked to see if there was a way to track down a worm that got into our network to see what system it originated from. Is there a way to do this? If so, what steps would I need to take?
I would say that it is possible and, in some cases, may be likely. But there is not a one-size fits all approach.
The simplest way, however, may be the most rewarding. Identify the worm then research its history. You'll often find statements such as
"Rogue emails posing as LinkedIn alerts directs users to a malicious page, which attempts to infect them with a variant of the ZBot information stealing trojan."
Then look for who received the e-mail.
You may have already addressed this issue but creating a timeline of one of the earlier infected computers may help determine how it became infected. You can search for any artifacts of the worm in the timeline (AV logs, Window event, prefetch, worm’s timestamps) with the purpose of locating when the worm first showed up on the system. By reviewing the files in the timeline around the time when the worm appeared on the system can point you in a possible direction of the infection vector. i.e., there may be indications of a USB being connected to the computer or a person accessing their email. This information combined with doing research on how the worm propagates could help determine on that computer was infected which can help lead to how it entered the network.
For information on timelines you could check out http//windowsir.blogspot.com/, https://
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com