How to identify an infected computer trying to spread a threat like a worm on other machines

book

Article ID: 180312

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

If you have a threat like a worm trying to spread over your network, it is crucial to identify the machine(s) that are infected.  Those computers need to be isolated and cleaned before the threat can spread.  One of the following solutions could help you identify the source:
   

  • Another simple way is also to use the arp table:

    When a threat is trying to spread from an infected computer to another, it creates connections with that "target computer" and therefore the IP and Mac addresses of the "attacking computer" gets recorded into the arp table of the "target computer" (Until the timeout removes it).

    The following batch script could be use to record the arp table content of the "target computer" at repeated times to be able to record the IP addresses of the "attacking computer":

    :start
    arp -a > C:\arptablelog.txt
    ping 1.1.1.1 -n 1 -w 60000
    goto :start


    The 1.1.1.1 represents an non-existant IP address that will not provide an ICMP answer and as a result, will reach the timeout defined.
    In this example, the ping timeout is defined to 60000 ms (60 seconds) and may need to be adjusted, depending on the ARPtable timeout.

    As per the above example, the result will be in the "C:\arptablelog.txt" file and will contain various IP addresses, including the one from the "attacking computer(s)". Verify if there were any detections while the script (As per the example above.) was running.

     



Using one of these methods can help identify the "attacking computer."