Detecting Malware

Problem

My company is overrun by malware. How can we track users who have malware and where it's installed?

Solution

There is not easy way to detect all malware. However, you can use several methods to try to identify the traffic.

There are several methods with which to track these types of connections.

Discussion

Gator is only one piece of malware that might be running across your networks. The key to detecting and identifying malware is the same as with other types of traffic. Find some common feature of the traffic, such as a word or phrase, or even the HEX of the packets. Then zero in on that and determine some specifics of the traffic that you can repeat with as much accuracy as possible. The other key is to watch your web traffic very closely. User-agent or browser identification is a great method for searching through the logs to find strange connections from your network. Another suggestion is to use some of Snort's other tools to find hosts that are generating more traffic than normal or simply talkative hosts. Talkative hosts are usually an indication of a problem, unless they are servers.

Another suggestion is to use the malware ruleset from http://www.bleedingsnort.com. This entire ruleset just targets malware on a network. These rulesthough you use them at your own riskmay help you figure out just how much of your total network traffic is used by malware/adware/spyware software. Finally, detecting this type of traffic is really a job for your web proxy server and your DNS server. When you use blocks or denies to hamper this type of traffic, you'll have a more secure network and visibly better performance.

See Also

http://www.squidguard.org for the ideas about blocking malware

http://www.bleedingsnort.com for some malware rules

Detecting Viruses

Категории