The Internet is facing threats from increasingly stealthy and sophisticated malware. Recent reports have suggested that new computer worms and malware deliberately avoid fast massive propagation. Instead, they lurk in infected machines and inflict contaminations over time, such as rootkit and backdoor installation, botnet creation, and data/identity theft. In defense against Internet malware, the following tasks are critical: (1) raising timely alerts to trigger a malware investigation, (2) determining the break-in point of malware, i.e. the vulnerable software via which the malware initially infiltrates the victim, and (3) identifying all contaminations inflicted by the malware during its residence in the victim. In this talk, I will present Process Coloring, an information flow-preserving, provenance-aware approach to malware investigation. In particular, I will demonstrate that through the preservation and tainting of malware break-in provenance along OS-level information flows, malware investigators will be able to improve the efficiency and effectiveness of existing log-based intrusion investigation tools. Furthermore, process coloring brings the new capability of runtime malware alert, which cannot be achieved by existing log-based tools. I will also present results of our experiments with a number of real-world Internet worms as well as a highly tamper-resistant implementation of process coloring using virtualization-based techniques.