This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi

I have been informed of a Kovter infection here at work, but im struggling to track it down. I have the folllwing information:

2015-01-27 08:40:09

ip OUREXTERNALIP

port 43533

hostname mail.OURDOMAIN

infection Kovter

url /w1/form.php

cc_asn 1101

cc_dns final9a.biz

I tried filter by port:

tcp.port eq 43533

But nothing shows up. Can any suggest something else to track this down?

Thanks in advance

EDIT: I did find this site that goes into detail about this infection, but alas...I'm not 100% sure where to start with WireShark.

http://www.cyphort.com/kovter-ad-fraud-trojan/

asked 29 Jan '15, 03:22

F2000's gravatar image

F2000
1112
accept rate: 0%

edited 29 Jan '15, 08:04


I'm not familiar with this malware, but based on the link you provided, you may want to try editing/adding a coloring rule(s) for some extensions that might be in use, such as: .exe .pl .py .pw .biz

Eg. frame matches ".(?i)exe"

permanent link

answered 30 Jan '15, 16:35

Qwert's gravatar image

Qwert
16226
accept rate: 0%

Qwert

First, thank you for replying and sorry its taken so long for me to reply. I had given up hope. Sorry to bug you again, but would ".(?i)biz" be enough...or any of the following?

http.request.uri matches ".(?i)biz"

http contains "final9a.biz"

Thanks again, really appreciate you taking time to reply.

(05 Feb '15, 07:40) F2000

First, it seems that they either updated their analysis, or I didn't read it well enough the first time (more likely the latter). The .py/.pl extensions are not relevant (so my apologies on the misinformation).

With regard to the coloring rule, I like 'frame matches' because the protocol needs to be recognized as http in order for an 'http' coloring rule to find a match. That being said, an http-specific rule may work just fine so the syntax of the rule here may be a non-issue in that one respect.

In addition to 'final9a.biz,' it looks like the following names should also be looked for:

a16-car.biz resolveasy.com a16-kite.pw (I think this is a locally run request on an infected host, so this may not show up in traffic)

Also ... 'resolveasy.com' doesn't resolve but resolveeasy.com does. Both domains are registered, but only the latter currently has a DNS record. Regardless, rules for both will cover those bases.

HTH

permanent link

answered 05 Feb '15, 13:30

Qwert's gravatar image

Qwert
16226
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×63
×3
×1

question asked: 29 Jan '15, 03:22

question was seen: 2,475 times

last updated: 05 Feb '15, 13:30

p​o​w​e​r​e​d by O​S​Q​A