This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I may have some data loss to Romania. How can I decode what I have magaged to capture? Thanks in advance. Please teach me so I can apply this to future captures. And maybe help others.

POST /news/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; InfoPath.1; .NET4.0C; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: zsmoupnlyotrokq.info
Content-Length: 292
Connection: Keep-Alive
Cache-Control: no-cache

.y..:......9#.T.'..."...`...F...N.....D..W
... ..6..u...)[email protected]=$.#.M....5"..\s.....}@F....0a\..a.ci..rr.2D..GJp..zP..!..oW..u...w.p..XCR...d.^..&wO.t_.^.m...
.3.w...a.....13.,Jh86*.AS#G.m.k..t.B../.]o.jOB..T....R...~a.K[9..Ps...|,&../....Q.R?H.k>.."..._[... ]Yu....E.I....M.`.}..*...

Their response ack the data

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Wed, 06 Apr 2011 22:51:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Length: 196

.s....r.~....b2
.*..3...p...\.....
l.g.[..|.u.U~..W...m...[..kW.g.+.q..F3.9s_.&.8..Bm9.....U.......ip.".d..._........E...$..
9= ..7|..G[h.d..[[email protected]~.N.Jp....&..DS..2...x..u...
K....B>..c../=..T....

asked 06 Apr '11, 14:18

Onebusytech's gravatar image

Onebusytech
1334
accept rate: 0%

retagged 09 Apr '11, 07:35

packethunter's gravatar image

packethunter
2.1k71548


What you got here is trouble.

The request goes out to the domain zsmoupnlyotrokq.info. At this time the domain does not exist (nslookup returns "non-existent domain".

The most remarkable website abuse.ch also hosts the Zeustracker, a website dedicated to tracking computers infected with the Zeus trojan horse.

As the domain zsmoupnlyotrokq.info does not exist Zeustracker is currently not reporting it. However, the google cache for Zeustracker still has the entry:

Zeustracker Screenshot from Google archive

So your trace file shows the encrypted command & control traffic for Zeus.

Alas, decrypting Zeus traffic is not for the faint of heart. Unfortunately, Zeus does not use a single master key. Finding the key for your infection requires a decent amount of reverse engineering. One possible approach is listed in a blog at threadexpert.com.

Depending on your version of Zeus this information could already be outdated.

Good hunting, you have a worthy target! :-)

permanent link

answered 09 Apr '11, 07:19

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

edited 09 Apr '11, 07:34

Thanks for your time and assistance in reviewing this for me. I suspected as much. But it does help to strengthen my message that they should take this very seriously. I advised them to inform the user of the risks and possible loss of personal information that could have occurred.

(27 Apr '11, 13:48) Onebusytech

You might want to accept the answer then to get the question off the open questions list ;-)

(27 Apr '11, 14:42) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×89
×1

question asked: 06 Apr '11, 14:18

question was seen: 4,034 times

last updated: 27 Apr '11, 14:52

p​o​w​e​r​e​d by O​S​Q​A