- Published on
Identify Possible Infection of Malware Into the Wireshark Capture File
- Authors
- Name
- Predrag TASEVSKI
INTRODUCTION
The main goal of laboratory report is to identify possible infection of malware into the wireshark capture file. The report should highlight the following aspects:
Download [not available anymore]
Find malware download in this pcap and extract malware or malwares find out where malware was downloaded from.
What malware, malwares changes in system.
C&C Names and address.
Document the process also where You found hints and how exactly You did it (you need to show Your thought and communication process – please write a summary of it.)
Write an incident report.
Moreover, we have to consider the malware analysis report reminders, please refer to [1] or [2]. Additional, analysis it is stated into the Analysis section, where we explain the techniques, filter tools, gather knowledge, links, etc. Structure of the laboratory report is first to present analysis with details information. Malware and infections description are described. Finally the conclusion made of all analysis will be concise in summary section.
ANALYSIS
To be able to open and use the above file, firstly we have to download the wireshark tool. Where the main goal and purpose for wireshark application is to analysis a network protocols from captured file. Therefore please refer to the following link.
Useful links for future use, please refer to [3, 4, 5 and 6]. On figure 1 it shows the Graphic Interface of Wireshark application with running filter: http protocol.
Illustration 1: Wireshark application, filter: http protocol
However, from the figure 1 we can see that there is a lot of traffic generated by the user. Therefore we have to apply and additional filter rules, which will help and guide for better and easy analysis. As we go through each generated http protocol traffic we can conclude that the user generated and has been visiting different source, where can be potential threat for the organization and personal use with a different malicious code.
To be able to filter only the http protocols on port 80 with a header GET, we should use the following filter: http.request.method == “GET”. Where this filter will narrow down the results that are presented into the captured file. In spite of the filter above it helps a lot, yet there is still a lot of traffic generated, consequently we have to utilize an additional filter.
Another extremely useful wireshark option we used, was Analyze → Follow TCP Stream which shows communication between IP addresses in more readable and useful way: shows DNS name for the IP and if file was downloaded gives file type and name. We discovered that IP address 79.137.237.34 belongs to accord-component.ru. When we accessed the site with various web browsers, all of them showed that it contained malware.
GET /serial/index.php HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NETCLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Connection: Keep-AliveHost: accord-component.ruHTTP/1.1 200 OKServer: nginxDate: Wed, 30 Nov 2011 23:07:18GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.3.2Content-Encoding: gzip</pre)Another suspicious IP was 86.63.168.101, where from this IP address brought us to<br)domain name zumlelao.com, but it was un-accessible from browsers. Wireshark showed the User downloaded file 4.exe from zumlelao.com.<pre class="brush: php")GET /load.php?file=0HTTP/1.1Accept: image/jpeg, application/x-ms-application, image/gif,application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*Accept-Language: etUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NETCLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Accept-Encoding: gzip, deflateHost: zumlelao.comConnection: Keep-AliveHTTP/1.1 200 OKDate: Wed, 30 Nov 2011 21:55:02GMTServer: Apache/2X-Powered-By: PHP/5.2.17Cache-Control: publicContent-Disposition: attachment; filename=4.exeContent-Transfer-Encoding: binaryVary: Accept-EncodingContent-Encoding: gzipContent-Length: 10666Keep-Alive: timeout=1, max=100Connection: Keep-AliveContent-Type: application/octet-stream
Additionally, we can always use an Find function, which will help as to identify certain traffic or site. Figure 2 demonstrated the usage of the Find function, accessible from menu Edit -) Find.
Other IP addresses that were generated/extracted first the ones with malware detected: 79.137.237.34 -accord-component.ru; 86.63.168.101 zumlelao.com
. Other IP’s are: 173.194.32.32 (33,34,41,50,51,52,58,59,60,63), 192.168.123.1, 193.184.164.159 (174,176,185), 193.40.252.83, 193.88.71.156, 194.126.108.69 (70), 194.126.124.136, 194.204.14.49, 195.222.15.74, 199.7.48.190, 209.85.173.95, 123.168.24.204 (209,221,225,229,235), 79.137.237.34, 80.252.91.41 (61), 69.171.228.11, 23.32.89.55, 23.32.99.172, 216.34.181.45 (48), 213.168.24.26, 90.190.148.34 (40), 86.63.168.101, 82.98.58.48, 81.19.238.61.
If we run or analysis the above domain names into the google we will automatic indicated that the zumlelao.com it is an before reported as a malware site and the second too. Therefore the analysis and the infection of details of malware are highlighted into the next section.
INFECTION
Indeed, the above captured file presents traffic generated by the user, that can be threat for the organization, home user, etc. As from the previous section demonstrates how to identify if the generated traffic has infected or has the user visit the malicious code sites. This section identifies the malicious code and displays their details. Moreover, the zumlelao.com host it is reported previous as malicious code site. For this purpose we gather the help from the following [link] (https://sopport.clean-mx.de/). Here is the reported malicious, suspicious code from the above host in the table bellow.
URL | Virus name | IP Initial | Link |
---|---|---|---|
https://zumlelao.com/oad.php?file=grabbers | 0/40(0.0%) unknown_htm | 86.63.168.101 | |
https://zumlelao.com/2.exe | 13/40 (32.5%) TR/TDss.77.1 | 86.63.168.101 | |
https://zumlelao.com/load.php?file=0 | 20/40 (50%) TR/Crypt.XPACK.Gen3 | 86.63.168.101 |
Furthermore, figure 3 is proving the analysis made through the wireshark, were one of the above links has been access, for more details clink on the above link and points in a figure 3:A and B.
Illustration 3: Prove of generating traffic of following malware [link] https://zumlelao.com/load.php?file=0 were B and A are proving the links and the IP initiation.
Moreover, to get the file itself for analysis, we used Netresec’s Network Miner 2.1 https://www.netresec.com/?page=NetworkMiner. In Files menu, it shows all packets as files.We uploaded 4.exe.octet-stream to virustotal.com – 30 Antivirus software identified as malware Virustotal [link](https://www.virustotal.com/file-scan/report.html?id=d6ee8736cd2eae8571b193b28b59dff33e9607237f78b0888d69c70f241bb04b-1323098398](https://www.virustotal.com/file-scan/report.html?id=d6ee8736cd2eae8571b193b28b59dff33e9607237f78b0888d69c70f241bb04b-%201323098398).
MD5 : 94a7f6430510fe7314c1e746bad79bf4SHA1 : 69ab04c9c586a8cf07a00665e160a48260a2465eSHA256: d6ee8736cd2eae8571b193b28b59dff33e9607237f78b0888d69c70f241bb04bF-Secure identified malware as Trojan.Generic.KD.438472
Trojan.Generic.KD malwares usually are classified as Backdoors. It infects executable files in the system and its main goal is to make backdoor into the system. It changes registry. In some cases it can put payload on the infected system, slow it down and make internet browsing difficult and time consuming. Aim of the malware can be stealing information or gaining partial/full access of the victim’s system. On the other hand, Trojan.Generic.KD malwares are difficult to remove from infected computers. From VirusTotal analysis we can see that various antivirus software can discover and identify Trojan.Generic.KD.438472. Therefore one can remove malware by downloading antivirus software provided by F-Secure, Comodo, Microsoft, Sophos, Symantec, DrWeb, etc. Here is an example from Dr.Web how to delete Trojan.Generic.KD [malware] (https://www.drwebhk.com/en/virus_removal/694829/Trojan.Generic.KD.53986.html).
For our case we downloaded Dr.Web CureIt (free edition for home PCs, which discovered the malware and removed it) – Link.
Before continuing to disinfect the system, please read and understand the massage delivered through this forum.
SUMMARY
Nowadays malicious codes, infection of the system is one of the highest vector of production work everyday of the organizations. Therefore, different approaches, advance analysis, troubleshooting, etc. has to be applicable and stated in every organization. Leaking of data, information, access of network (internal and external) can be very harmful for organization and even the home usage of computers. Therefore, this laboratory report main aim is to provide the reader to be able to conduct advance analysis of system and their identification of infection within the wireshark network analysis tool.
From the above sections in Analysis and in the Infection we have to follow the steps and links that will help us for a further work. Meanwhile, the captured generated traffic from the distributed file has indeed indicated that the system it is infected. Were as an prove we demonstrate an screen-shot, figure 3, that one of the infected link has been visited. Likewise, the system of this user is infected. Thus infection identified name is: TR/Crypt.XPACK.Gen3, where we do supply and the disinfecting stepwise solution with the above link. Closing, as there are many different ways, tools, process for analysing the malicious code behaviours in system this laboratory report is supplying the reader with advance and stepwise solution for identifying the infection of the system within advance network analysis wireshark application.
WORKLOAD
We made analysis on the virtual Windows 7 machine. For virtualization we used VirtualBox. During analysis each of group member did the same analysis to cross - reference the results.
We basically used the following tools: Wireshark, Network Miner and virustotal.com.
Bibliography
[1] Lenny Zeltser, Reverse-Engineering: Malware Analysis Tools and Techniques Training, 2011, Link.
[2] Lenny Zeltser, Malware analysis report reminders, 2011, Link.
[3] Kevin, Malware Analysis & Malware Reverse Engineering, NA, Link.
[4] Chris Greer, Top 10 Wireshark Filters, April 2010, Link.
[5] Russ McRe, Security Analysis with Wireshar, November 2006
[6] Chief Banana, Using Wireshark filters for capturing malware, March 2011, Link.
The above post is written by Predrag Tasevski and Mikheil Basilaia