This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Any help to decode an encrypted POST

0

I may have some data loss to Romania. How can I decode what I have magaged to capture? Thanks in advance. Please teach me so I can apply this to future captures. And maybe help others.

POST /news/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; InfoPath.1; .NET4.0C; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: zsmoupnlyotrokq.info
Content-Length: 292
Connection: Keep-Alive
Cache-Control: no-cache

.y..:……9#.T.'…"…...F...N.....D..W ... ..6..u...)[email protected]=$.#.M....5"..\s.....}@F....0a\..a.ci..rr.2D..GJp..zP..!..oW..u...w.p..XCR...d.^..&wO.t_.^.m... .3.w...a.....13.,Jh86*.AS#G.m.k..t.B../.]o.jOB..T....R...~a.K[9..Ps...|,&../....Q.R?H.k>.."..._[... ]Yu....E.I....M..}..*…

Their response ack the data

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Wed, 06 Apr 2011 22:51:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Length: 196


.s….r.~….b2
.*..3…p….….
l.g.[..|.u.U~..W…m…[..kW.g.+.q..F3.9s_.&.8..Bm9…..U…….ip.".d…_……..E…$..
9= ..7|..G[h.d..[[email protected]~.N.Jp….&..DS..2…x..u…
K….B>..c../=..T….

asked 06 Apr ‘11, 14:18

Onebusytech's gravatar image

Onebusytech
1334
accept rate: 0%

retagged 09 Apr ‘11, 07:35

packethunter's gravatar image

packethunter
2.1k71548

One Answer:

1

What you got here is trouble.

The request goes out to the domain zsmoupnlyotrokq.info. At this time the domain does not exist (nslookup returns "non-existent domain".

The most remarkable website abuse.ch also hosts the Zeustracker, a website dedicated to tracking computers infected with the Zeus trojan horse.

As the domain zsmoupnlyotrokq.info does not exist Zeustracker is currently not reporting it. However, the google cache for Zeustracker still has the entry:

Zeustracker Screenshot from Google archive

So your trace file shows the encrypted command & control traffic for Zeus.

Alas, decrypting Zeus traffic is not for the faint of heart. Unfortunately, Zeus does not use a single master key. Finding the key for your infection requires a decent amount of reverse engineering. One possible approach is listed in a blog at threadexpert.com.

Depending on your version of Zeus this information could already be outdated.

Good hunting, you have a worthy target! :-)

answered 09 Apr '11, 07:19

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

edited 09 Apr '11, 07:34

Thanks for your time and assistance in reviewing this for me. I suspected as much. But it does help to strengthen my message that they should take this very seriously. I advised them to inform the user of the risks and possible loss of personal information that could have occurred.

(27 Apr '11, 13:48) Onebusytech

You might want to accept the answer then to get the question off the open questions list ;-)

(27 Apr '11, 14:42) Jasper ♦♦