This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello. I am analyzing virus through Virtualbox, and am using Wireshark in my real computer (mac) to monitor all of the network connections it makes. I have gotten a lot of network activity from the virus, showing me the IP that it is communicating to, the network protocol that it is using, etc. I always get data inside of my little hex viewer at the bottom of Wireshark, but whenever I click "Follow TCP Stream", nothing shows up. I am almost positive that this is because, inside of the INFO column in Wireshark, I always get a length value of 0 "Len=0". I know that these packets contain data, but it's frustrating how Wireshark always gives me the value of "Len=0", and doesn't let me follow the TCP stream.

Any help would be appreciated in resolving this issue, thank you.

asked 09 Oct '12, 22:29

mourginakis's gravatar image

mourginakis
1111
accept rate: 0%

So does the virus use a modified TCP stack, in which it obfuscates the 'TCP' datastream?

(09 Oct '12, 23:08) Jaap ♦

can you post the capture file at cloudshark.org?

(09 Oct '12, 23:41) Kurt Knochner ♦

"VIrus" was a bit of a misnomer. It's more of a worm, but the point still stands, it's communicating over the internet. Because I can't save my capture file without saving all of the captured packets, i'll just give you an example:

1078 158.006317000 192.168.0.12 1..**.(dst. ip) TCP 78 50384 > 36 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=16 TSval=392959107 TSecr=0 SACK_PERM=1

And in the hex view I get: .=.k..h. m ....E. .@gc@[email protected] a....... .....$.O l....... ........ ........ ...l.... ......

If this data is being obfuscated, is there a way to un-obfusctate it? If so, how? Thanks.

(10 Oct '12, 17:26) mourginakis

If you expand each of the sections (Frame, Ethernet, IP, TCP, etc.) and click the last item in the last section, does it highlight the last "....." section of the bytes? If yes, then there is no data transfer yet.

The packet output you posted appears to be a TCP SYN packet. The number of bytes you referenced (77 excluding spaces) is about right for a SYN. If you're only seeing SYN packets and no responses, the worm is probably just trying to establish a connection with its Command & Control host.

If you can post the packet capture, or a screenshot of the expanded protocol information (you can obfuscate the IPs if you want), it can be verified.

-Greg

permanent link

answered 17 Oct '12, 11:08

thechaosmachine's gravatar image

thechaosmachine
0112
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×29
×24

question asked: 09 Oct '12, 22:29

question was seen: 7,763 times

last updated: 17 Oct '12, 11:08

p​o​w​e​r​e​d by O​S​Q​A