Identifying Malware Origin

A host was infected with malware.

During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing the Internet all day.

Which of the following would MOST likely show where the malware originated?

A.

The DNS logs

B.

The web server logs

C.

The SIP traffic logs

D.

The SNMP logs.

A.

The correct answer is A. The DNS logs.

When a user is infected with malware, it is important to determine the source of the infection so that appropriate measures can be taken to prevent further infections. In this scenario, Joe reported that he did not receive any emails with links, but he had been browsing the Internet all day. This suggests that the malware may have been downloaded from a website or through an online advertisement, rather than through email.

DNS (Domain Name System) logs can provide valuable information about the websites that were accessed by the infected host. DNS is responsible for translating domain names (such as www.example.com) into IP addresses that computers can use to communicate with each other over the Internet. When a user visits a website, their computer sends a DNS query to a DNS server to resolve the domain name into an IP address. The DNS server logs these queries and responses, which can be used to track the websites that were accessed by the infected host.

Web server logs can also provide information about the websites that were accessed, but they may not capture all of the traffic if the infected host was using a proxy server or if the malware was communicating with a command and control server over a non-standard port. SIP (Session Initiation Protocol) traffic logs are used for VoIP (Voice over IP) communications, and SNMP (Simple Network Management Protocol) logs are used for network management, so they are unlikely to provide useful information in this scenario.

In summary, the DNS logs would be the most likely source of information to determine where the malware originated in this scenario.