Hi I have been informed of a Kovter infection here at work, but im struggling to track it down. I have the folllwing information:
I tried filter by port:
But nothing shows up. Can any suggest something else to track this down? Thanks in advance EDIT: I did find this site that goes into detail about this infection, but alas...I'm not 100% sure where to start with WireShark. asked 29 Jan '15, 03:22  F2000 edited 29 Jan '15, 08:04 |
2 Answers:
I'm not familiar with this malware, but based on the link you provided, you may want to try editing/adding a coloring rule(s) for some extensions that might be in use, such as: .exe .pl .py .pw .biz Eg. frame matches ".(?i)exe" answered 30 Jan '15, 16:35  Qwert |
First, it seems that they either updated their analysis, or I didn't read it well enough the first time (more likely the latter). The .py/.pl extensions are not relevant (so my apologies on the misinformation). With regard to the coloring rule, I like 'frame matches' because the protocol needs to be recognized as http in order for an 'http' coloring rule to find a match. That being said, an http-specific rule may work just fine so the syntax of the rule here may be a non-issue in that one respect. In addition to 'final9a.biz,' it looks like the following names should also be looked for: a16-car.biz resolveasy.com a16-kite.pw (I think this is a locally run request on an infected host, so this may not show up in traffic) Also ... 'resolveasy.com' doesn't resolve but resolveeasy.com does. Both domains are registered, but only the latter currently has a DNS record. Regardless, rules for both will cover those bases. HTH answered 05 Feb '15, 13:30 Qwert |
Qwert
First, thank you for replying and sorry its taken so long for me to reply. I had given up hope. Sorry to bug you again, but would ".(?i)biz" be enough...or any of the following?
http.request.uri matches ".(?i)biz"
http contains "final9a.biz"
Thanks again, really appreciate you taking time to reply.