Advanced Wireshark Network Forensics - Part 2/3
Summary
TLDRThis video script guides viewers through a cybersecurity investigation of a malware-infected system. It details the process of analyzing a network packet capture to identify the source of the malware, extracting the malicious file, and examining its network activity. The tutorial emphasizes safe practices, recommends using a virtual machine, and highlights the importance of documenting findings. It concludes with insights on the malware's behavior, including DNS queries and HTTP traffic, and the absence of self-propagation attempts.
Takeaways
- 🔍 The scenario involves a system on a network infested with malware that the antivirus failed to detect, locking up the system and preventing access to the hard drive.
- 💡 The investigation starts with a full network packet capture and the known IP of the infected host, 12.1.83.155, as the starting point for analysis.
- 🔑 Goals of the analysis include determining the source of the malware infection, reassembling network bits to collect the malware file, and understanding the malware's activity on the system.
- 🚫 A disclaimer is provided about the risks of carving out a live virus file, recommending the use of a different operating system in a virtual machine for safety.
- 🛠️ Wireshark is used for the analysis, with custom columns added for stream ID and host to aid in the investigation.
- 🔎 Pattern matching begins with a display filter to isolate traffic related to the infected IP address, revealing suspicious activity such as a .ru domain name and the absence of a user agent in web requests.
- 📄 The file signature 'MZ' is identified as indicative of Microsoft file types, including EXE executables, by consulting a file signature database.
- 🖊️ The process of carving out the malware file from the packet capture involves saving raw bytes, removing HTTP headers, and ensuring the file starts with the correct file signature.
- 🔒 The importance of disabling antivirus temporarily when handling a live virus file on Windows is highlighted to avoid automatic quarantine.
- 🔄 The carved file is hashed for repeatability and comparison with the original, using either MD5 or SHA-256 to ensure accuracy.
- 🌐 VirusTotal is utilized for analyzing the malware file, providing details about detection rates by various antivirus vendors and the nature of the malware.
- 📊 Network traffic analysis reveals DNS queries to random domain names and HTTP traffic on port 80, indicative of botnet persistence behavior.
- 🛡️ No evidence of the malware trying to self-propagate over the network was found, and traffic signatures like a high volume of DNS queries in a short time are noted for further investigation.
Q & A
What is the main issue presented in the scenario?
-The main issue is that a system on the network is infested with malware, which the antivirus software failed to detect, and the malware has locked up the system.
What is the IP address of the infected host mentioned in the scenario?
-The IP address of the infected host is 12.1.83.155.
What are the primary goals of the investigation in this scenario?
-The primary goals are to determine the source of the malware infection, reassemble the network bits to collect the malware file for further investigation, and analyze the malware's activity on the system, including its network traffic signatures and propagation behavior.
Why is it recommended to use a different operating system with a virtual machine for this scenario?
-It is recommended to use a different operating system with a virtual machine to prevent any complications that might occur from handling a live virus file, allowing for a safer and more controlled environment.
What are the two additional columns added in Wireshark for this investigation?
-The two additional columns added are 'stream ID' with the field set to TCP.stream, and 'host' with the field set to HTTP.host.
What is a file signature and why is it important in this context?
-A file signature, also known as a magic number, is the first few bytes of a file that indicate its type. It is important for identifying the file type, especially when dealing with unknown or potentially malicious files.
How can the file signature be used to identify the type of a file?
-By looking up the file signature in a file signature database, one can determine the type of file it corresponds to, such as an executable or a library file.
What is the purpose of carving out a live virus file in this scenario?
-Carving out a live virus file allows for the collection and analysis of the malware, which can provide insights into its behavior, characteristics, and potential impact on the system.
Why is it necessary to strip off protocol headers and footers when carving out a file?
-Stripping off protocol headers and footers is necessary to obtain the original file in its pure form, without any additional data that may have been added during transmission.
What is the significance of obtaining a hash value of the carved out file?
-Obtaining a hash value ensures that the file carving process is repeatable and allows for the comparison of the carved out file with the original file to verify accuracy.
How can the analysis of the carved out file be performed?
-The analysis can be done manually by someone with the capability, or by uploading the file to an online service like VirusTotal for automated analysis and detection by multiple antivirus vendors.
What does the analysis of the malware file reveal about its behavior?
-The analysis reveals that the malware makes a large number of DNS queries to seemingly random domain names and engages in HTTP communication with certain domains, indicating potential botnet persistence behavior.
What is the significance of observing a high volume of DNS queries within a short amount of time?
-A high volume of DNS queries in a short time can be a traffic signature indicating potential malware activity, as seen in botnet persistence where the malware attempts to find available command and control servers.
What does the absence of evidence for the malware trying to reach out to other internal network addresses suggest?
-The absence of such evidence suggests that the malware may not be attempting to self-propagate over the network like a worm, at least not in the ways monitored during the investigation.
Outlines
🔍 Investigating Network Malware Infection
This paragraph outlines a scenario where a system is infected with malware that the antivirus failed to detect. The system is locked up, but a full network packet capture is available. The goal is to determine the source of the malware infection and analyze its activity. The infected host's IP is known, and the speaker advises using Wireshark to analyze the capture, adding specific columns for investigation. A disclaimer is given about the risks of carving out a live virus file, recommending the use of a virtual machine on a different OS. Basic steps for setting up Wireshark and beginning the analysis are provided, including creating a display filter for the infected host's traffic and noting suspicious activities like the absence of a user agent in web requests.
📚 Carving Out and Analyzing the Malware
The speaker details the process of extracting a live virus file from a network capture using Wireshark. They explain how to filter traffic to include only server-to-client communication, view raw bytes, and save the file while avoiding antivirus detection. The importance of removing protocol headers to obtain the original file is emphasized. The use of a hex editor to strip HTTP headers and the necessity of creating file hashes for repeatability and matching are discussed. The paragraph concludes with the analysis of the extracted file using VirusTotal, which provides details about the malware, including its detection rate by various antivirus programs, and the observation of network traffic indicating botnet behavior with DNS and HTTP traffic on port 80.
🛡️ Assessing Malware Network Traffic and Propagation
The final paragraph focuses on analyzing the network traffic generated by the malware to determine if it attempts to self-propagate like a worm. The speaker describes how to filter out the virus download traffic and observes DNS queries to seemingly random domain names followed by HTTP communication. They note the lack of evidence for the virus reaching out to internal network addresses, suggesting it does not self-propagate in this manner. The paragraph ends with a summary of findings, including the source of infection, details about the malware file obtained, the type of network calls made, and the absence of self-propagation attempts, as well as the high volume of DNS queries as a potential traffic signature.
Mindmap
Keywords
💡Malware
💡Packet Capture
💡IP Address
💡Antivirus
💡Wireshark
💡File Signature
💡Virustotal
💡DNS Traffic
💡Botnet
💡Traffic Signature
💡RFC 1918
Highlights
A system on the network is infested with malware that the antivirus failed to detect.
The malware has locked up the system, and access to the hard drive is unavailable.
A full network packet capture is available for incident analysis.
The IP address of the infected host is known, providing a starting point for investigation.
The goal is to determine the source of the malware infection and reassemble network bits to collect the malware file.
Investigating the malware's activity includes analyzing internet calls and potential self-propagation.
A disclaimer about safely carving out a live virus file on a Windows PC is provided.
Instructions on adding helpful columns in Wireshark for stream ID and HTTP host are given.
The importance of documenting goals and results during an investigation is emphasized.
Pattern matching is used to filter traffic related to the infected device's IP address.
Suspicious web requests without a user agent may indicate manual virus download or pre-existing malware.
The file signature 'MZ' is identified as a signature for Microsoft file types, including EXE executables.
Instructions on carving out the live virus file from the network capture are provided.
The necessity of disabling antivirus to save the carved file on a Windows system is mentioned.
The carved file's hash value is crucial for ensuring the repeatability of the process.
VirusTotal is recommended for analyzing the carved malware file and obtaining detailed information.
The malware generates a large number of DNS queries to seemingly random domain names.
HTTP communication is observed with websites on certain domains, indicating possible botnet persistence.
No evidence of the malware trying to self-propagate over the network is found.
A high volume of DNS queries within a short time frame is identified as a potential traffic signature.
Transcripts
let's take a look at scenario one you
can download this and the other capture
files from the github link in the
description below so in this scenario
we're being told that there's a system
on the network infested with malware for
some reason the antivirus on the
computer didn't detect it and the
malware is managed to lock up the system
we don't have access to the hard drive
but we do have a full network packet
capture of the incident and we already
know the IP of the infected host this
12.1 8 3 1.55 this gives us a good
starting point now for our goals since
we have a full packet capture of the
incident we'll want to know where the
system managed to contract the malware
from and if we can we'll want to see if
we can reassemble the network bites to
collect the malware file for further
investigation then we'll want to see
what we can find out about the malware
is activity on the system things like
what kind of calls to the internet
doesn't make and does it try to self
propagate like a worm and are there any
possible network traffic signatures that
we can use to catch other systems
potentially infected with the same piece
of malware ok we have a capture we know
what we're looking for and we have our
goals one last thing before we move on I
want to give a little disclaimer in this
scenario I will be showing you how to
carve out a live virus file I will be
doing it on my Windows PC and will need
to disable my antivirus to do so
following my steps exactly it should not
cause any problems but I recommend that
you do not do this on Windows and use a
different operating system with a
virtual machine that you can reflash
later the virus is non-destructive and
I'm not liable for any complications
that might occur so with that let's get
started
the first thing I like to do with any
new Wireshark install is to add a few
helpful columns so let's go ahead and
open our pcap file we can right-click on
one of the columns and select column
preferences from there click on the plus
sign to add two columns the first we're
gonna call stream ID and the second will
be called host set the fields to be TCP
stream and HTTP host I'd like to put the
stream ID column between protocol and
length and the host column between
length and info so when we're done it'll
look like this the other thing I like to
do when starting a new investigation is
to document what we know our goals and
the results of each goal as we go
through this since we're walking through
this together I won't write down the
steps we've taken but you'll want to
write those down as well now that we
have our Wireshark set up and our goals
written down we can start with our
analysis we begin with pattern matching
we already know the IP address of the
system we're interested in so let's
create a display filter to show us only
the traffic related to that device you
can type in IP addr for IP address
equals equals and then our victim's IP
already we see something that looks a
little suspicious now I want to point
out something really important when
investigating capture files what may be
true for one network may not be true for
another in this case a dot ru domain
name might seem like something to worry
about but it's also possible that this
is a company that does a lot of business
with other Russian companies either way
we're gonna want to check our suspicions
right click and follow TCP stream
okay there's a few things we want to
take note of here first what's something
strange that we notice about the web
request there is no user agent normally
when you use a web browser or even curl
to make a web request the browser
includes its user agent in the web
headers so not seeing a user agent here
can mean one of two things either the
user manually downloaded this virus
themselves using some sort of local
utility or there was already a piece of
malware on the system that downloaded
the rest of the virus next what kind of
file is it that's being downloaded
it's an exe executable obvious the name
is pus about exe but another way we can
tell what kind of file it is is by
looking at the first few bytes of the
file this is known as the file signature
see in Windows you need to have the
correct extension to open a file with
the right application Exe PNG do see but
with Linux you don't need that in fact
there's a Linux utility called file that
will tell you what type of file
something is and it does that by looking
at the file signatures I'll show you
where you can look up your own file
signatures in a second but first let's
write down what we have so far the file
was downloaded from this dot ru domain
with the name puska Exe and there was no
user agent in the request okay so if we
search google for a file signature
database several pop-up personally I
prefer gary kessler net since it's
updated regularly from here we can just
do a ctrl F search for MZ which was the
first two bytes of the file and we can
see here that MZ is a file signature for
a number of Microsoft file types
including Exe executables and DLL
libraries so now that we have the bytes
of the file how can we pull this out
with Wireshark well first we want to
change the traffic we're looking at to
only include the communication coming
from the server to the client we can do
that in the bottom left corner here then
we'll want to show the raw bytes instead
of their ASCII form finally just save
the file now remember this is a live
virus and since I'm using Windows I
don't
save it as a dot exe file I'm also gonna
save this file twice as dump one and
dump two you don't have to do this but
you'll see why in a moment we're not
done yet
to get the original file we need to
strip off any and all protocol headers
and footers in this case we only have
the HTTP headers to deal with open the
file in a hex editor now the way HTTP
headers work is that they let you know
where the headers end and the data
starts by this 0d 0a 0d 0a so just
delete that and everything above it when
we're done the file will start with MZ
the first few bites of our file
signature see this is why I saved the
file twice when I tried to reconstruct
the original virus my antivirus
recognized it and put it in quarantine
so here I'm gonna go ahead and disable
my antivirus and try it again I'm only
using Windows Defender so all I need to
do is open my security settings virus
and threat protection then turn off real
time protection this little video glitch
is from it asking me for privileged
permissions so don't worry about that ok
with the antivirus now disabled let's go
ahead and try it again
and success immediately after carving
out any file in this investigation
you'll want to get a hash of the file it
doesn't matter too much of its md5 or
shot 256 since the likelihood of a
collision is pretty much zero but you'll
want to make sure that you get the hash
value so that your process is repeatable
and so that the carved out file and the
original file can be matched together
for example if you're following along
and managed to get different hash values
that means that the file was carved out
wrong and you should try it again
don't worry it happens from time to time
but this just illustrates why it's so
important to collect the right hash
values okay now to send the file for
analysis if you're capable you can
analyze the file yourself or we can do
my preferred method and upload it to
virustotal
I love virustotal it's just a great
website from our research here we have
the sha-256 hash the original name pasta
Exe remember we didn't give it that name
they already knew it and elicited
details about the virus itself there's
also a list of antivirus vendors where
they note which AV can and cannot detect
the virus remember in our scenario where
the antivirus wasn't able to detect it
it might be on this list with a green
checkmark and maybe we should
re-evaluate our AV solution
just a thought okay so we were able to
collect and analyze the malware file
let's take a look at what kind of
network traffic it generates we can
filter out the virus download by
filtering out TCP stream 5
and here we can see a lot of DNS traffic
to what seems to be somewhat randomly
generated domain names if we scroll down
a little we can start to see quite a few
syn packets being sent before we reach
our first syn ACK that usually means
that they were all sent out in a short
amount of time if we kept scrolling down
we would start to see connections that
were being established and then closed
immediately if you're new to malware
traffic this is pretty standard form for
botnet persistence the virus comes with
a pre-loaded list of domains or with a
built-in way to generate domain names it
then tries to reach out to each of the
domain names in the list to see what's
available and online that way if some of
the domains in the list are blocked or
shut down it still has a way to call
home let's look at one of the packets to
see what TCP port it's trying to
communicate on ok port 80 so most likely
web traffic now if we wanted to see
which of these domains it connected to
and stayed connected to it's very likely
that it would be using HTTP web traffic
so let's check the hosts headers ad and
and HTTP host to our filter and we can
see that most of the communication
happens with this
wham-o Jeff desi comm domain let's
follow one of the streams and see what
kind of traffic we have
yep this looks like a normal webpage
might have redirected the user to their
site to buy a fake antivirus says here
Windows 7 total security let's make a
note of what we found we saw that we now
have a list of domain names that we can
add to our blacklist we also noticed a
spike of DNS traffic followed by a spike
in port 80 traffic okay we're almost
done the last thing we want to know is
if the virus tries to self propagate
over the network like a worm so what do
we look for well if the virus tries to
reach out to other devices on the
network it might try to follow RFC 1918
and look for private IP addresses
there's also a chance that it takes the
IP address of the infected machine and
tries to reach out to other devices on
that network as well if you're not
familiar RFC 1918 is the standard for
private IP addressing this is where we
get the $10 the 192 168 and 172 dot 16
networks these are all well known
addresses and they're sometimes reached
out to by computer worms we're also
going to want to check the 12 networks
with a / 8 subnet because it's at least
a Class A address so we're gonna build
one large filter and you're gonna want
to be careful doing this since the
larger the filter the trickier it can be
we want to include the source IP address
of 12.1 83 155 and the list of the
following addresses 192.168.0.0 / 16 172
dot 16 dot 0 dot 0 / 12 10.0.0.0
/ 8 and 12.000 / 8 again since 12 dot is
a Class A address we're gonna use these
double pipes instead of the double ands
since we're only need one of these to
show up in our filter and we want to
make sure that we wrap it with a
parenthesis for the proper boolean logic
with the and earlier okay let's stir
this into Wireshark
you might see these ICMP destination
unreachable messages this is actually a
bug in the Wireshark filters where it
thinks that the ICMP messages are
sourced and destined for the same
address these are quick to look through
and we can easily sort them out by just
adding no ICMP to the end of our filter
at this point it doesn't look like there
are any attempts from the virus to try
and connect to other internal systems so
let's write this down and that's it
awesome so now we're done let's hop back
to the slides and review what we found
okay
let's revisit what we found where did
the user contract the malware from well
the user made a direct call to the
executable therefore the user either
deliberately downloaded the malware or
there was a piece of malware sleeping on
the system how about the malware file
well we were able to get that carved out
we have the md5 and the sha-256 hashes
of these files we were able to analyze
them through virustotal
so here are some results taking
screenshots of the virus total output so
here we have a list of antivirus that
was able to detect the virus and here's
a list of those that weren't so what
kind of calls did it make well we saw a
large number of DNS queries to a number
of what seemed like randomly generated
domain names and we also saw a lot of
HTTP communication for websites located
on a few of these domains did it try to
self propagate no we didn't find any
evidence that it tried to reach out to
any other internal network addresses and
as far as traffic signatures we saw a
high volume of DNS queries within a
short amount of time so that's
definitely something to look at well
that's it for now in the next video
we're going to take a look at our second
scenario
関連動画をさらに表示
Malware Traffic Analysis with Wireshark - 2
Malware Traffic Analysis with Wireshark - 1
Advanced Wireshark Network Forensics - Part 3/3
3.2.4.6 Packet Tracer - Investigating the TCP IP and OSI Models in Action
Wireshark - Malware traffic Analysis
Basics of Network Traffic Analysis | TryHackMe Traffic Analysis Essentials
5.0 / 5 (0 votes)