The phone rings, and the networking guys tell you that you’ve been hacked and that your customers’ sensitive information is being stolen from your network. You begin your investigation by checking your logs to identify the hosts involved. You scan the hosts with antivirus software to find the malicious program, and catch a lucky break when it detects a trojan horse named TROJ.snapAK. You delete the file in an attempt to clean things up, and you use network capture to create an intrusion detection system (IDS) signature to make sure no other machines are infected. Then you patch the hole that you think the attackers used to break in to ensure that it doesn’t happen again.
Then, several days later, the networking guys are back, telling you that sensitive data is being stolen from your network. It seems like the same attack, but you have no idea what to do. Clearly, your IDS signature failed, because more machines are infected, and your antivirus software isn’t providing enough protection to isolate the threat. Now upper management demands an explanation of what happened, and all you can tell them about the malware is that it was TROJ.snapAK. You don’t have the answers to the most important questions, and you’re looking kind of lame.
How do you determine exactly what TROJ.snapAK does so you can eliminate the threat? How do you write a more effective network signature? How can you find out if any other machines are infected with this malware? How can you make sure you’ve deleted the entire malware package and not just one part of it? How can you answer management’s questions about what the malicious program does?
All you can do is tell your boss that you need to hire expensive outside consultants because you can’t protect your own network. That’s not really the best way to keep your job secure.
Ah, but fortunately, you were smart enough to pick up a copy of Practical Malware Analysis. The skills you’ll learn in this book will teach you how to answer those hard questions and show you how to protect your network from malware.