This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Kovter infection, can anybody help me track it down?

0

Hi

I have been informed of a Kovter infection here at work, but im struggling to track it down. I have the folllwing information:

2015-01-27 08:40:09

ip OUREXTERNALIP

port 43533

hostname mail.OURDOMAIN

infection Kovter

url /w1/form.php

cc_asn 1101

cc_dns final9a.biz

I tried filter by port:

tcp.port eq 43533

But nothing shows up. Can any suggest something else to track this down?

Thanks in advance

EDIT: I did find this site that goes into detail about this infection, but alas...I'm not 100% sure where to start with WireShark.

http://www.cyphort.com/kovter-ad-fraud-trojan/

asked 29 Jan '15, 03:22

F2000's gravatar image

F2000
1112
accept rate: 0%

edited 29 Jan '15, 08:04


2 Answers:

0

I'm not familiar with this malware, but based on the link you provided, you may want to try editing/adding a coloring rule(s) for some extensions that might be in use, such as: .exe .pl .py .pw .biz

Eg. frame matches ".(?i)exe"

answered 30 Jan '15, 16:35

Qwert's gravatar image

Qwert
16226
accept rate: 0%

Qwert

First, thank you for replying and sorry its taken so long for me to reply. I had given up hope. Sorry to bug you again, but would ".(?i)biz" be enough...or any of the following?

http.request.uri matches ".(?i)biz"

http contains "final9a.biz"

Thanks again, really appreciate you taking time to reply.

(05 Feb '15, 07:40) F2000

0

First, it seems that they either updated their analysis, or I didn't read it well enough the first time (more likely the latter). The .py/.pl extensions are not relevant (so my apologies on the misinformation).

With regard to the coloring rule, I like 'frame matches' because the protocol needs to be recognized as http in order for an 'http' coloring rule to find a match. That being said, an http-specific rule may work just fine so the syntax of the rule here may be a non-issue in that one respect.

In addition to 'final9a.biz,' it looks like the following names should also be looked for:

a16-car.biz resolveasy.com a16-kite.pw (I think this is a locally run request on an infected host, so this may not show up in traffic)

Also ... 'resolveasy.com' doesn't resolve but resolveeasy.com does. Both domains are registered, but only the latter currently has a DNS record. Regardless, rules for both will cover those bases.

HTH

answered 05 Feb '15, 13:30

Qwert's gravatar image

Qwert
16226
accept rate: 0%