How do you detect where a virus came from?

jahaziel

How do you detect where a virus came from? Basically, What tools can I use to detect the orgin of the virus?

buhusky

You don't need tools, the answer is easy - the Internet, unless your roommate is a coder.

5ekurity

Are you talking about in the context of who actually 'wrote' the virus? Or the attack vector by which someone was infected?

jahaziel

I mean the way the person got affected. By email or through a download. My company wants me to track this down for them.

iBrokeIT

Look at the timestamp of the file and look at the user's internet and email logs for the 30 minutes prior would be a good place to start.

SaSkiller

First question of IT. "What changed?" ask hte user what they did immediately before the detection if it was a host based detection, if it was network based, then look at your timestamps and ask the same question. The capability to detect the method of transmission is determined by the threat, and the tools you have availible.

For instance, we see things like cryptowall or other randsomware. Historically we know that it is primarily distributed via email or via exploit kits. If you start seeing IDS phone home alerts from out of nowhere, then chances are it came in from personal or work email (If it had been EK, you would expect to see detection of the landing page/and or exploit/malware download). If the user has adware or other software on the system, then you should consider that they downloaded a trojan. they installed something that brought a friend with it. ect.

cyberguypr

The question is, what tools do you have in place? Proxy, email, host logs, antivirus, any centralized logging a la syslog, Splunk, etc.? Some places don't log crap and expect detailed reports of attack vectors and whatnot.