Hello. I am analyzing virus through Virtualbox, and am using Wireshark in my real computer (mac) to monitor all of the network connections it makes. I have gotten a lot of network activity from the virus, showing me the IP that it is communicating to, the network protocol that it is using, etc. I always get data inside of my little hex viewer at the bottom of Wireshark, but whenever I click "Follow TCP Stream", nothing shows up. I am almost positive that this is because, inside of the INFO column in Wireshark, I always get a length value of 0 "Len=0". I know that these packets contain data, but it's frustrating how Wireshark always gives me the value of "Len=0", and doesn't let me follow the TCP stream. Any help would be appreciated in resolving this issue, thank you. asked 09 Oct '12, 22:29 mourginakis |
One Answer:
If you expand each of the sections (Frame, Ethernet, IP, TCP, etc.) and click the last item in the last section, does it highlight the last "....." section of the bytes? If yes, then there is no data transfer yet. The packet output you posted appears to be a TCP SYN packet. The number of bytes you referenced (77 excluding spaces) is about right for a SYN. If you're only seeing SYN packets and no responses, the worm is probably just trying to establish a connection with its Command & Control host. If you can post the packet capture, or a screenshot of the expanded protocol information (you can obfuscate the IPs if you want), it can be verified. -Greg answered 17 Oct '12, 11:08 thechaosmachine |
So does the virus use a modified TCP stack, in which it obfuscates the 'TCP' datastream?
can you post the capture file at cloudshark.org?
"VIrus" was a bit of a misnomer. It's more of a worm, but the point still stands, it's communicating over the internet. Because I can't save my capture file without saving all of the captured packets, i'll just give you an example:
1078 158.006317000 192.168.0.12 1..**.(dst. ip) TCP 78 50384 > 36 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=16 TSval=392959107 TSecr=0 SACK_PERM=1
And in the hex view I get: .=.k..h. m ....E. .@gc@[email protected] a....... .....$.O l....... ........ ........ ...l.... ......
If this data is being obfuscated, is there a way to un-obfusctate it? If so, how? Thanks.