This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I took a sample malware to analyze with a wireshark. This malware is a Zeus Bot. So I was taking a look at this UDP stream, why it didn't give me some more clear information? Here you can download a PCAP file

alt text

asked 02 Feb '14, 05:04

Espen's gravatar image

Espen
21226
accept rate: 0%

edited 02 Feb '14, 05:05


Thats because those UDP packets just do not contain human readable ASCII information. It may be a binary format, or just be packed, encrypted, or both, so it has a quite high entropy and cannot be read just as a normal text. You could track down the Zeus guys and complain to them that they should do their stuff in an easily readable way, but I doubt they'll listen (even if you could find them) - they do not WANT you to find out what they're doing.

BTW, I'm not entirely sure if those UDP packets are the Zeus stuff after all by the way. Yes, there is Zeus communication in your trace, but it communicates via TCP starting in frame 347, which you can (mostly) read by doing "Follow TCP stream". The UDP stuff you mention could be something else entirely and not be related to Zeus.

permanent link

answered 02 Feb '14, 05:14

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×100
×27

question asked: 02 Feb '14, 05:04

question was seen: 1,548 times

last updated: 02 Feb '14, 05:14

p​o​w​e​r​e​d by O​S​Q​A