SANS Digital Forensics and Incident Response Blog

3 Lists for Investigating Malware Incidents

When investigating an incident that involves malicious software, it helps to understand the context of the infection before starting to reverse the malware specimen. Some of the ways to accomplish this involves:

  • Examining the websites that may be associated with the incident, often because they are suspected in hosting exploits that acted as the infection vector
  • Obtaining reputational data about IP addresses of systems involved in the incident, often because they are suspected of hosting malicious files that were dropped on the system, or acting as the command and control server for the attacker
  • Looking up IP addresses associated with the infected organization in blocklists, to determine whether additional systems may have been performing malicious activities and may have gotten compromised
  • Performing automated behavioral analysis of malware involved in the incident, to get a general sense for its characteristics to plan subsequent manual reverse-engineering tasks

Each of the following pages lists 10 or so freely-available on-line tools for helping to perform the tasks outlined above:

What other on-line tools help understand the context of the infection? Tell us in comments below.

— Lenny

Related Posts

PDF Malware Analysis

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.