I searched on the internet tutorials, on how to analyze and detect the virus on the network using Wireshark . I installed Win7 VM, began to catch packets and then activated malware. After 30 seconds, in the wireshark begin to appear a lot of the packages with informations like
Which is left on me a positive impression, because I was sure that a malware is activated. However, I would like to know what this info above means "Standard query...", what does wireshark want to say with information such as "Standard query response 0x4499 No such name" ? - That he couldn't establish connection with that fake dns ?
However, please check the pcap file below, I would like to draw some more info about this malware, since I'm doing a task. Here is a PCAP file of analysis. PCAP File
asked 27 Jan '14, 07:18
edited 27 Jan '14, 08:02
Those DNS queries are (most certainly) the attempt to find the malware control server using DNS fast flux. The only positive answer is for the IP (126.96.36.199) - see several DNS queries like this one
Then the malware is connecting to that IP via HTTP
Click on one of those frames and select "Follow TCP Stream" to see what gets loaded. If you google for 'typical' strings found in the HTTP conversation (like: turing_cluster_prod), you'll get more information. Of course this is just a first step ;-)
answered 27 Jan '14, 08:18
Kurt Knochner ♦
edited 27 Jan '14, 08:22
Looks like a Zeus infection to me. What happens is that the Zeus trojan has an algorithm to calculate seemingly random domain names, which the bad guys preregister to run the command & control servers on.
Of course most of them are not active, because they have to move from domain to domain all the time to avoid being caught. When a domain is not registered you get a "No Such Name" from the DNS servers. It's not a fake DNS - DNS is working fine. It's just that the names the trojan calculated are unknown to the DNS system at that time.
answered 27 Jan '14, 08:04