The Trojan Defense

The malware did it...not me.

How often do we see or hear of this? I don't see this specific question very often during exams...probably because I don't work in certain environments, per se...but I do get questions peripheral to it, and I do hear the question being asked by folks who do those sorts of investigations.

More importantly, however, is another question...how does an examiner (LE or otherwise) answer that question before it gets asked? The claim that "the Trojan/worm/malware did it" is being made more and more, and it can be a challenge to address this sort of thing...but it does need to be addressed.

The fact of the matter is that there are enough data sources on a Windows system that can provide indications as to whether certain actions (downloading illicit images, collecting/exfiltrating sensitive data, etc.) were performed by malware, or intentionally by a user. These sources may vary in their location and how useful they are, depending upon the case, but by examining and correctly interpreting the preponderance of data (rather than a few selected data points), an analyst can get an overall picture of what happened.

One example is when illicit images appear on a system...did malware reach out and download those images, or did the user install P2P software and then run a specific search for those images? Or did the user install P2P software that then led to a malware infection, and then the malware downloaded the software?

All of these questions can be answered, but what it takes to do so varies from case to case, and cannot be adequately addressed in a single blog post. Suffice to say that a knowledgeable analyst needs to look at everything, and be aware of those things they do not know. By this I mean, do not dismiss the value of Registry analysis simply because you have a deadline and do not feel that you sufficiently understand Registry analysis as a whole, or how it could apply to your case. The same is true for P2P analysis.

Addressing the "Trojan Defense" involves much more than simply mounting an acquired image and running an AV scanner across it. But like I said, that's not something that can be addressed in a blog post. This isn't a sales pitch, but what's really required is training, and regular, continuous interaction with other knowledgeable analysts, so that information and experiences can be exchanged.