This is a static archive of our old Q&A Site. Please post any new questions and answers at

info about this UDP stream


I took a sample malware to analyze with a wireshark. This malware is a Zeus Bot. So I was taking a look at this UDP stream, why it didn't give me some more clear information? Here you can download a PCAP file

alt text

asked 02 Feb '14, 05:04

Espen's gravatar image

accept rate: 0%

edited 02 Feb '14, 05:05

One Answer:


Thats because those UDP packets just do not contain human readable ASCII information. It may be a binary format, or just be packed, encrypted, or both, so it has a quite high entropy and cannot be read just as a normal text. You could track down the Zeus guys and complain to them that they should do their stuff in an easily readable way, but I doubt they'll listen (even if you could find them) - they do not WANT you to find out what they're doing.

BTW, I'm not entirely sure if those UDP packets are the Zeus stuff after all by the way. Yes, there is Zeus communication in your trace, but it communicates via TCP starting in frame 347, which you can (mostly) read by doing "Follow TCP stream". The UDP stuff you mention could be something else entirely and not be related to Zeus.

answered 02 Feb '14, 05:14

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%