Root Cause Inspection

Take, for example, the following virus detection alert:

From: servername [mailto:servername]
Sent: (Date and time)
To: AV Alerts – HQ
Subject: EXPL_EXECOD.A on machine(user)

Virus alert.
EXPL_EXECOD.A is detected on machine(user).
Infected file: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\NXXZUEMP\exp4[1].htm
Detection date: (date and time)
Action: Virus successfully detected, cannot perform the Clean action (Cannot perform the Delete action)

Antivirus software has detected a virus in exp4.htm and prevented it from running.

Case closed?

A look at the index to the browser cache shows that exp4.htm is among the many web pages from (EXPL_EXECOD.A) (EXPL_EXECOD.A) (EXPL_EXECOD.A)

There was a different exploit at each exp?.htm page. We were detecting the use of one of the five exploits, but only one of the five.

A web site in the Russian Federation.

Domains registered to this address:

Samples of the files were submitted to for verification and to the specific anti-virus vendor for analysis.

The  URL was submitted to a public malware block list ( and to the specific anti-virus vendor for inclusion in their web filtering product.

The IP address was blacklisted in the client firewall.

The vulnerabilities that these malware samples attempted to exploit had already been remediated (software updates and patches installed).

I have provided links to utilities that make reviewing web browser history easier. When malware arrives through a web browser, you want to learn where it came from.

  1. What else came from the same source? Is it also malicious, but undetected?
  2. Do you want to blacklist that source? If detected malware was delivered once, are you betting that the next malware will also be detected? Why take that chance?
  3. Submit suspicious links to a central reporting site, such as Malware Block List.
  4. Keep a log (spreadsheet, table, database) of what you have detected. The URL (http://), its IP address, the reason it caught your attention, what you did with the information, and the date seen are basic fields. Tip: convert the dotted decimal IP address to a decimal IP address. = 112+(128*256)+(53*256*256)+(58*256*256*256) = 976584816. You will find a large IP address number easier to sort than a set of octets.

hpHosts may be helpful. You can use it to learn if this IP address or URL has been reported as malicious, or if other malicious sites are at that IP address. For example, to see if there are malicious hosts whose IP address starts with 63.246.20, use

hpHosts uses the following abbreviations to categorize their reasons for including IP addresses in the malicious list:
ATS: ad/tracking server
GRM: grass roots marketing (astroturfing)
EMD: malware distributor (adware, spyware, viruses etc). (Classification: )
HJK: hijacking
EXP: exploits and social engineering
FSA: fraudulent security (and non-security) applications
WRZ: Warez and keygens
PSH: Phishing
HFS: spammed the hpHosts forums

Targeted Forensics: Mapping a Process to a Malicious Command and Control describes how to determine which process is connecting to a malicious command and control center, using Volatility and a memory dump.

The Targeted Forensics Series: Confirming Remote Desktop Connections (Part 1 of 2) (Part 2 of 2) describes finding evidence of a remote desktop connection to or from a Windows device, using the registry and log parser.


One Response to Root Cause Inspection

  1. […] Some will call the Root Cause Analysis described in this blog “forensics.” I urge you to avoid that term. You should recognize […]