One or two machines in a network have been compromised. How to proceed

Question

Edit This post has been marked as duplicate. While I have read the referenced thread I see some differences in the descibed situation. My scenario below is a non-server home network with both machines connected via Wifi. As both are connected via standard router software to the internet I have trouble understanding where to put any NST as typical distros are based on linux and I suppose I would need to route all network traffic to gateway that performs the analysis while the simple router can't do that. The scenario is no typical business case with proper infrastructure. Having a spare machine with the capacity to act as a gateway and analyse real-time trafficdata from probably two infectd machines seems like a sound procedure but is not viable in this case. Therefore I was hoping on some more practical advice in such a "small" scenario. When I understand the hints provided the interception of traffic should not and cannot be done on the compromised machines, a I right?

Given a real life scenario: Two machines Desktop and Notebook. Both are always up-to-date Win 7 Pro machines performing updates of AV, Windows etc daily. Both are stationary in a private LAN. None was used in another network.

On Desktop a domain and some email accounts from the same provider (Emails: Desktop-1, Notebook-1 and Notebook-2) were bought and set up. Desktop was configured to receive and send mails from account Desktop-1, Notebook was configured to receive and send mails from Notebook-1 and Notebook-2. The original password selection on all accounts was done on Desktop, they might be cryptographically weak.

After quite a long time period the mail provider send a notification that account Notebook-1 was sending spam from multiple locations in russia, white russia and from other eastern bloc locations at the same time. Noteworthy: The user id and password were used and the sender email Notebook-1 was replaced by some address to avoid Notebook receiving any kind of return mails. Mail provider changed password on this account. Spam stopped.

At this point it is unlikely that the mail provider got compromised and attackers obtained provider's db with user ids, pass hashes, etc. It rather looks like one of the machines has been infected.

Several rescue disks from different providers have found and removed all malware on both machines. Notebook is suspected to have a trojan that was able to retrieve log in data from Outlook (as the login data should not be stored anywhere else)

Both machines resumed normal operation after none showed signs of malware.

After the scan the password on account Notebook-1 was changed on Desktop via Web interface and the new password has been entered on Notebook .

A couple of days later the email provider again observed that Notebook-2 (Note: not Notebook-1) exhibit the same behavior than the previous account and changed its password. Desktop’s email account did not exhibit suspicious behavior (yet!)

A scan of both machines whether there is a reinfection has yet to be done. The leaked account is again used on Notebook only and it is not clear whether the original malware has obtained all the data or whether there was a reinfection that has again stolen data.

Note: On both machines there are plenty of other mail accounts, passwords, etc stored. Both machines are also used for online banking.

I have no strong indication what machine is really under an attacker’s control as there are no obvious observations what else is done with the other login data of both machines. Simply changing all passwords on a possibly compromised machine sounds like an awful idea. I also question the trustworthiness of scan reports of multiple vendors’ rescue disks saying no infections located. (What is the probability that a very new malware is not detected by AVG, Avira and Kaspersky?) However I question that only due to my lack of experience with that.

Like with many personal machines many passwords are stored only in some more or less secure(rather less) password manager like non-password protected password vault of firefox and whatever outlook uses.

My guess: A sane approach would be to obtain a linux (which might be an issue if it is only a VM installed on one of the potentially compromised machines) and change every password on every account.

However as the source of infection is not clear changing passwords is only so long safe as long as they are not entered again in the daily-used software (e.g. Firefox or Outlook) on those "seemingly" clean machines.

Any hints? Reinstalling windows is only a last resort as this is not a trivial task and even with backups there is no guarantee that restored data from backups or data remaining on the machines (let’s say jpgs and mp3) does not cause a reinfection.

Answer 1

I recommend you collect traffic regarding those servers, besides that memory dump will be useful do you can get memory dump.

After collecting traffic like pcap you can setup a NST or different operating system including snort like IPS IDS and replay the traffic through this IDS IPS and examine if any alert is triggered or not. If there is any alert you can use those alerts to reduce the sample space of possibilities and go deeper with it.

Or you can separately examine the pcap traffic like is there any outboung connection how many of them, are they relevent or not, most speaking outbound urls or ips. You can search wierd urls or ips in different sources internet. blacklist ips, malware lists, sapm lists etc. this helps you also find out if there is command control center for a malware which is communicating periodically.

You can gather similar information from analyzing memory dumps also. Memory information can give you the behaviour of explitation path. and this might be a clue for your vulnerability.

lets examine those and look what we find.