This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Botnet HTTP Traffic identified - need help with analyzing pcap

0

Hello,

We currently had an incident with a internal workstation sending traffic to a known botnet (Alarm from our Proxy appliance); I pulled the pcap from our Shark appliance and I am trying to analyze why our web proxy would identify this as botnet traffic.

Is there anything suspicious about this communication that stands out that I am possibly missing? to me I see that the machine is making get request with a long string value to a known IP address that is involved with botnet traffic. I am just trying to take this one step further to better understand these types of events going forward.

alt text alt text

asked 14 Mar '15, 09:05

cvs278's gravatar image

cvs278
6113
accept rate: 0%

edited 14 Mar '15, 09:09

2 Answers:

0

Well, the GET request is highly unusual, as it has a high entropy and no readable parts at all. Its most likely an encryption of some kind, which isn't likely to happen for a "normal" web page.

Also, the request goes to an IP address, not an FQDN, so there is probably no DNS entry for the ressource that is accessed. This is either a very lazy administrator who doesn't care if anyone uses his web page (very unlikely) or someone who doesn't want to risk registering a DNS domain because it could help identify him. Or he just doesn't care because all the site is doing is receiving botnet traffic, so he doesn't have to register it - the botnet clients know the IP address.

On the positive side: IPvoid doesn't blacklist the IP address, and says it's a server in the serverloft.com range: loft7301.serverloft.com. Calling up that server opens a nondescript search form, so there's no way of telling what it is used for.

So, in the end it's hard to say, but the page itself doesn't look that bad. I was too lazy to try and see what your GET request would do, because I don't want to type in all the characters. Also, it should only be done from a system that you can discard afterwards, in case it gets infected (e.g. do it from a VM that you can reset to a snapshot).

answered 15 Mar '15, 09:17

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

I did a brief search and found others seeing the same kind of traffic to that server.

The response to the following request is "scrambled/encrypted" as well.

http://188.138.96.202/9J53BCBR8pGOKAgwBHQgrgvztOiAFoO5RHeI+3wdMkoINuo4CdHmf+LBVqYfnFev2MxNCQ1XgJqh0Brltcm70CmTFnwUbI9Leqz0/Gp3fszxClaGSCEjGPfcwQ1ejVM7XFu/rnTLghNBUG4xYxtm+I9qr3Syp/6TkiyRPHKrn6aQ6L2rYp4uUrZYFK3mIh4E/f17pQIxvqeQ6j9ea345IhpaxdcuyDrHiqAkk6ZPxFvzCxXgzt1Tpfm1x/OGk1sAHfpFEj35PDJiW7MM8ktNeVBs

Response:

2eRXb7Mg5t5TlvkZBKEhn4DdCuyA5lfQBg4ZIudvkzuCQurtFbAsf/6+xs0pDq99uUKzYgI/ZZQmuVLiso1EpNCWf/wkJstV35U76OU0KSuDXs1QkshEcBtj9XC1H5BLyfT/oTIuEGmkFesCjWMGvVCwzVGt2ofLReQuZzmJzVt/VXUqodSUbZPGUyjf9xqgUpQCvwO2x4cfH3aFKM/rD8gBklsCCvsib31wu2unjk8fo+OTruVf4oYi7TDsk/aaKhkkKLygK7uLpIKG

Looks like a covert communication channel, beeing used for whatever. Could be malware or some sort of tunneling proxy. BTW: If you change a single char of the request, you'll get a 404!

Does not look "normal" to me ;-)

Regards
Kurt

answered 19 Mar '15, 14:48

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 19 Mar '15, 14:51