This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

My home ip address is blacklisted on http://cbl.abuseat.org/lookup.cgi?ip=63.142.130.18&.pubmit=Lookup and they state that a workstation in my home is infected with the ZeuS trojan, also known as "Zbot" and "WSNPoem"

I delisted my ip address but am back on the list, which affects my email deliverability.

I have spent all morning trying to use Wireshark to sniff the traffic on my entire network looking for the workstation that is communicating with the external ip address that they have identified the information is being sent to, although in this case it is a sinkhole.

I have tried multiple filters and command strings but nothing seems to be working the way I envisioned it would.

Does anyone know where there might be a step-by-step guide for what I am attempting to do?

I am in school for IT and have years of experience on computers. The common homeowner would be bald by now.

Thanks

PS - I am using a Mac and wonder if this program would work better on a PC?

asked 26 Sep '13, 09:46

billwynne's gravatar image

billwynne
11113
accept rate: 0%

edited 26 Sep '13, 09:48


My home ip address is blacklisted on http://cbl.abuseat.org/lookup.cgi?ip=63.142.130.18&.pubmit=Lookup

hm.. they tell you pretty clearly what to look for.

Cite:

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 87.255.51.229 or host name benznflvsgttdydqdguwcem.info on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 87.255.51.229 or benznflvsgttdydqdguwcem.info. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25. 

That's not a guarantee to find the machine, as it may have switched to a different C&C server, but did you try all that?

Regards
Kurt

permanent link

answered 26 Sep '13, 10:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 26 Sep '13, 10:37

Hi Kurt, Thanks for taking the time to share. I have run Wireshark to view all the network traffic and then looked for that ip address and port but it did not show up at all. I have all the workstations running so I could bust the culprit. I am not sure that I am using WireShark the right way to do this.

It is a technical piece of software and I was hoping for a step-by-step guide on how to perform a task like what I am trying to do.

Thanks

(26 Sep '13, 10:49) billwynne

I am not sure that I am using WireShark the right way to do this.

O.K. where did you run Wireshark? On your local PC? If so, you will not see the whole network traffic unless you've taken the appropriate steps.

http://wiki.wireshark.org/CaptureSetup/Ethernet

Please check that.

I have run Wireshark to view all the network traffic and then looked for that ip address and port but it did not show up at all.

O.K. if your capture setup is done right (see above) and you still don't find that IP address, you could look for 'strange' DNS names. Trojans often use random domain names for their C&C servers (like the one mentioned: benznflvsgttdydqdguwcem.info). So, please capture the whole DNS traffic and then filter for DNS requests.

Display filter:

dns.qry.name

Try to find strange looking names like the one above.

(26 Sep '13, 11:18) Kurt Knochner ♦

To filter on traffic to and from the sink hole, enter the following display filter: ip.addr==87.255.51.229

Assuming, as is likely, that you're on a switched network, the problem may be that you're not seeing the traffic from the infected machine. See this page of the Wireshark Wiki for a discussion of how to capture traffic on a switched Ethernet network.

permanent link

answered 26 Sep '13, 10:50

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×6
×1
×1
×1

question asked: 26 Sep '13, 09:46

question was seen: 15,702 times

last updated: 26 Sep '13, 11:18

p​o​w​e​r​e​d by O​S​Q​A