Triggers
- An internal host is downloading and installing software from the Internet
- The downloads are over HTTP, appear to be machine- driven, and follow a suspicious pattern of checking for availability of files before downloading them
Possible Root Causes
- The initial exploit on this host may be loading malware to continue the attack
- Malware installed on the host may be updating itself to enhance its functionality
- Malware installed on the host may be updating itself to a new version of its software
Business Impact
- An infected host can attack other organizations (e.g. spam, DoS, ad clicks) thus causing harm to your organization’s reputation, potentially causing your IP addresses to be black listed and impacting the performance of business-critical applications
- If this is a targeted attack, it can spread further into your network and ultimately exfiltrate data from it
- The malware which infected the host can create nuisances and affect user productivity
Steps to Verify
- Look up the domain and IP address to which the communication is being sent via reputation services to see if this is known malware; such lookups are supported directly within the UI
- Search for the domain + “virus” via a search engine; this is effective for finding references to known adware or spyware
- Download the supplied PCAP and look at the HTTP payload being sent to see if any data is being leaked in clear text or whether the identity of the program is visible