This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello ,

I searched on the internet tutorials, on how to analyze and detect the virus on the network using Wireshark . I installed Win7 VM, began to catch packets and then activated malware. After 30 seconds, in the wireshark begin to appear a lot of the packages with informations like

122 ... Standard query 0xd235 A pjplrhpfdeivctxokvxwozcyo.info
123 ... Standard query response 0xd235 No such name
...
392 ... Standard query 0x4499 A orlvpygqlzfeofuhuwkinlfmexw.info
393 ... Standard query response 0x4499 No such name
...

Which is left on me a positive impression, because I was sure that a malware is activated. However, I would like to know what this info above means "Standard query...", what does wireshark want to say with information such as "Standard query response 0x4499 No such name" ? - That he couldn't establish connection with that fake dns ?

However, please check the pcap file below, I would like to draw some more info about this malware, since I'm doing a task. Here is a PCAP file of analysis. PCAP File

asked 27 Jan '14, 07:18

Espen's gravatar image

Espen
21226
accept rate: 0%

edited 27 Jan '14, 08:02


Those DNS queries are (most certainly) the attempt to find the malware control server using DNS fast flux. The only positive answer is for the IP (208.73.211.66) - see several DNS queries like this one

frame.number == 146 or frame.number eq 147

Then the malware is connecting to that IP via HTTP

http.request and ip.addr eq 208.73.211.66

Click on one of those frames and select "Follow TCP Stream" to see what gets loaded. If you google for 'typical' strings found in the HTTP conversation (like: turing_cluster_prod), you'll get more information. Of course this is just a first step ;-)

Regards
Kurt

permanent link

answered 27 Jan '14, 08:18

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 27 Jan '14, 08:22

Thanks on info!

(27 Jan '14, 09:14) Espen

Looks like a Zeus infection to me. What happens is that the Zeus trojan has an algorithm to calculate seemingly random domain names, which the bad guys preregister to run the command & control servers on.

Of course most of them are not active, because they have to move from domain to domain all the time to avoid being caught. When a domain is not registered you get a "No Such Name" from the DNS servers. It's not a fake DNS - DNS is working fine. It's just that the names the trojan calculated are unknown to the DNS system at that time.

permanent link

answered 27 Jan '14, 08:04

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Yes, you're correct! I've read somewhere that it could be a zeus. However, when I did a scan with a virustotal, it appears to be also a trojan.zbot.. https://www.virustotal.com/sr/file/0e5a6248d05d94363942ff01409fd7ce9fd6c7e8d18e9d513b4e085c37cd3c79/analysis/1390819629/ However, could you please take a look at my pcap file, and tell me if there's something more interesting that I could look at those packages and describe. Or if you think this is a really bad sample of malware, could you tell me where can I find some malware that does more, like type of a malware which downloads some data.. I pretty much new to the wireshark as well. Thanks!

(27 Jan '14, 08:14) Espen

zbot is another name for "Zeus Bot" if I am not mistaken ;-)

See Kurts answer on how to find more interesting stuff. Basically what you do is to look for DNS answers that are not "No Such Name" and then filter for the according communication that includes the IP from the successful answer. It will contain a callback and the downloaded malware or command sequence from the C&C servers.

(27 Jan '14, 08:22) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×100
×27

question asked: 27 Jan '14, 07:18

question was seen: 12,781 times

last updated: 27 Jan '14, 09:14

p​o​w​e​r​e​d by O​S​Q​A