Hello , I searched on the internet tutorials, on how to analyze and detect the virus on the network using Wireshark . I installed Win7 VM, began to catch packets and then activated malware. After 30 seconds, in the wireshark begin to appear a lot of the packages with informations like Which is left on me a positive impression, because I was sure that a malware is activated. However, I would like to know what this info above means "Standard query...", what does wireshark want to say with information such as "Standard query response 0x4499 No such name" ? - That he couldn't establish connection with that fake dns ? However, please check the pcap file below, I would like to draw some more info about this malware, since I'm doing a task. Here is a PCAP file of analysis. PCAP File asked 27 Jan '14, 07:18  Espen edited 27 Jan '14, 08:02 |
2 Answers:
Those DNS queries are (most certainly) the attempt to find the malware control server using DNS fast flux. The only positive answer is for the IP (208.73.211.66) - see several DNS queries like this one
Then the malware is connecting to that IP via HTTP
Click on one of those frames and select "Follow TCP Stream" to see what gets loaded. If you google for 'typical' strings found in the HTTP conversation (like: turing_cluster_prod), you'll get more information. Of course this is just a first step ;-) Regards answered 27 Jan '14, 08:18  Kurt Knochner ♦ edited 27 Jan '14, 08:22 |
Looks like a Zeus infection to me. What happens is that the Zeus trojan has an algorithm to calculate seemingly random domain names, which the bad guys preregister to run the command & control servers on. Of course most of them are not active, because they have to move from domain to domain all the time to avoid being caught. When a domain is not registered you get a "No Such Name" from the DNS servers. It's not a fake DNS - DNS is working fine. It's just that the names the trojan calculated are unknown to the DNS system at that time. answered 27 Jan '14, 08:04  Jasper ♦♦ Yes, you're correct! I've read somewhere that it could be a zeus. However, when I did a scan with a virustotal, it appears to be also a trojan.zbot.. https://www.virustotal.com/sr/file/0e5a6248d05d94363942ff01409fd7ce9fd6c7e8d18e9d513b4e085c37cd3c79/analysis/1390819629/ However, could you please take a look at my pcap file, and tell me if there's something more interesting that I could look at those packages and describe. Or if you think this is a really bad sample of malware, could you tell me where can I find some malware that does more, like type of a malware which downloads some data.. I pretty much new to the wireshark as well. Thanks! (27 Jan '14, 08:14) Espen zbot is another name for "Zeus Bot" if I am not mistaken ;-) See Kurts answer on how to find more interesting stuff. Basically what you do is to look for DNS answers that are not "No Such Name" and then filter for the according communication that includes the IP from the successful answer. It will contain a callback and the downloaded malware or command sequence from the C&C servers. (27 Jan '14, 08:22) Jasper ♦♦ |
Thanks on info!