This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filters for Torpig / Sinowal etc

0

Could someone tell me where to set the filters on to see on what machine is a rootkit ?

For example. Customer has 100+ pc's all have antivirus. Now 1 machine has a torpig virus. running wireshark on the server to check packages for 24 hours.

Now i would like to filter it to quickly see it. Did tcp.dstport == 80 as filter and http.request.method==POST seeing that the rootkits ask for that. But its still alot to go through.

Thanks in advance

asked 09 May '12, 07:32

Jotronics's gravatar image

Jotronics
1111
accept rate: 0%

One Answer:

1

Hi,

trying to detect a trojan, just by looking at the network traffic is hard if you don't know how it behaves (IP addresses it contacts - C&C servers -, what kind of data "pattern" it uses, etc.)

Just looking for POST requests for a whole network, won't help you, as there will be loads of regular POST requests from your users (logging in somewhere, etc.).

So, what can you do?

Luckily, there are a papers available that describ in detail how Tropig works and what servers it tries to contact.

http://fserror.com/pdf/Torpig.pdf
http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

Within one document you'll find a list of possible C&C servers:

I suggest you look for any data directed to those servers in the first place.

Display Filter:
Resolve the names above to ip addresses and then use this filter

ip.addr eq x.x.x.x or ip.addr x.x.x.x or ip.addr x.x.x.x

HOWEVER: Torpig uses "Domain/DNS flux", so the servers above might have changed and you won't see any traffic.

Basically, this is just something to get you started and I hope it gave you an idea how to continue.

Regards
Kurt

answered 09 May '12, 11:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 09 May '12, 12:05

Kurt thank you for your information. This was the key to finding the 1 pc in 1000 ;)

Sorting the data on IP# and scrolling quickly through all the data you suddenly see all strange domainnames with the same ip#

That was the new updated torpig rootkit. Removed the pc from the network for deeper analysis.

Examples of new domain names : tkdut.com xctwniban.com zoxini.com lqtmd.com kjehip.com biraxwdqd.com

Shame cannot attach a picture to it so other ppl with the same question could see an example.

-Milo

(10 May '12, 01:05) Jotronics

You might want to accept Kurts answer if it helped you ;-)

(10 May '12, 01:32) Jasper ♦♦

Congrats, you developed yourself a good way to detect "domain flux" malware. Filter on 'dns.request' and sort for the source IP. If there are clients that resolves "strange" names, that could be a trojan. You could post the picture on flickr.

(10 May '12, 01:42) Kurt Knochner ♦