I sat and stared at my screen as my stomach sank and I felt a lump form in the back of my throat. I had an endless amount of data at my disposal, but I had no idea where to start. I thought I was going to be sick.
After banging my head against the keyboard for a while, I decided to look through old investigation tickets for inspiration where I ran across a piece of malware I’d looked at months earlier. The malware wasn’t anything special, but it communicated over HTTP for command and control and used a custom user-agent that was distinctive.
That got the wheels turning, and I started asking questions.
It wasn’t just that the custom user-agent made the malware unique, it made it unique relative to all the other user agents on my network. It wasn’t one I had ever seen before and certainly wasn’t something I expected. Maybe I could use the idea of a unique HTTP user-agent for hunting similar malware?
I fired up the terminal and searched for a chunk of HTTP proxy data from the past week. Using a little command-line kung-fu, I pulled out all the unique user agents, counted them, and sorted them by the frequency of occurrence. All the usual suspects were present at the top of the list: Chrome, Firefox, Internet Explorer. But, the bottom of the list yielded something a lot more interesting. There were at least half a dozen HTTP user agents I didn’t recognize. I’d found my first hunting anomalies! After further investigation, at least a couple turned out to be malware that our IDS had missed.
