Advanced Wireshark Network Forensics - Part 2/3

Netsec Explained

4 Dec 201813:58

Summary

TLDRThis video script guides viewers through a cybersecurity investigation of a malware-infected system. It details the process of analyzing a network packet capture to identify the source of the malware, extracting the malicious file, and examining its network activity. The tutorial emphasizes safe practices, recommends using a virtual machine, and highlights the importance of documenting findings. It concludes with insights on the malware's behavior, including DNS queries and HTTP traffic, and the absence of self-propagation attempts.

Takeaways

🔍 The scenario involves a system on a network infested with malware that the antivirus failed to detect, locking up the system and preventing access to the hard drive.
💡 The investigation starts with a full network packet capture and the known IP of the infected host, 12.1.83.155, as the starting point for analysis.
🔑 Goals of the analysis include determining the source of the malware infection, reassembling network bits to collect the malware file, and understanding the malware's activity on the system.
🚫 A disclaimer is provided about the risks of carving out a live virus file, recommending the use of a different operating system in a virtual machine for safety.
🛠️ Wireshark is used for the analysis, with custom columns added for stream ID and host to aid in the investigation.
🔎 Pattern matching begins with a display filter to isolate traffic related to the infected IP address, revealing suspicious activity such as a .ru domain name and the absence of a user agent in web requests.
📄 The file signature 'MZ' is identified as indicative of Microsoft file types, including EXE executables, by consulting a file signature database.
🖊️ The process of carving out the malware file from the packet capture involves saving raw bytes, removing HTTP headers, and ensuring the file starts with the correct file signature.
🔒 The importance of disabling antivirus temporarily when handling a live virus file on Windows is highlighted to avoid automatic quarantine.
🔄 The carved file is hashed for repeatability and comparison with the original, using either MD5 or SHA-256 to ensure accuracy.
🌐 VirusTotal is utilized for analyzing the malware file, providing details about detection rates by various antivirus vendors and the nature of the malware.
📊 Network traffic analysis reveals DNS queries to random domain names and HTTP traffic on port 80, indicative of botnet persistence behavior.
🛡️ No evidence of the malware trying to self-propagate over the network was found, and traffic signatures like a high volume of DNS queries in a short time are noted for further investigation.

Q & A

What is the main issue presented in the scenario?
-The main issue is that a system on the network is infested with malware, which the antivirus software failed to detect, and the malware has locked up the system.
What is the IP address of the infected host mentioned in the scenario?
-The IP address of the infected host is 12.1.83.155.
What are the primary goals of the investigation in this scenario?
-The primary goals are to determine the source of the malware infection, reassemble the network bits to collect the malware file for further investigation, and analyze the malware's activity on the system, including its network traffic signatures and propagation behavior.
Why is it recommended to use a different operating system with a virtual machine for this scenario?
-It is recommended to use a different operating system with a virtual machine to prevent any complications that might occur from handling a live virus file, allowing for a safer and more controlled environment.
What are the two additional columns added in Wireshark for this investigation?
-The two additional columns added are 'stream ID' with the field set to TCP.stream, and 'host' with the field set to HTTP.host.
What is a file signature and why is it important in this context?
-A file signature, also known as a magic number, is the first few bytes of a file that indicate its type. It is important for identifying the file type, especially when dealing with unknown or potentially malicious files.
How can the file signature be used to identify the type of a file?
-By looking up the file signature in a file signature database, one can determine the type of file it corresponds to, such as an executable or a library file.
What is the purpose of carving out a live virus file in this scenario?
-Carving out a live virus file allows for the collection and analysis of the malware, which can provide insights into its behavior, characteristics, and potential impact on the system.
Why is it necessary to strip off protocol headers and footers when carving out a file?
-Stripping off protocol headers and footers is necessary to obtain the original file in its pure form, without any additional data that may have been added during transmission.
What is the significance of obtaining a hash value of the carved out file?
-Obtaining a hash value ensures that the file carving process is repeatable and allows for the comparison of the carved out file with the original file to verify accuracy.
How can the analysis of the carved out file be performed?
-The analysis can be done manually by someone with the capability, or by uploading the file to an online service like VirusTotal for automated analysis and detection by multiple antivirus vendors.
What does the analysis of the malware file reveal about its behavior?
-The analysis reveals that the malware makes a large number of DNS queries to seemingly random domain names and engages in HTTP communication with certain domains, indicating potential botnet persistence behavior.
What is the significance of observing a high volume of DNS queries within a short amount of time?
-A high volume of DNS queries in a short time can be a traffic signature indicating potential malware activity, as seen in botnet persistence where the malware attempts to find available command and control servers.
What does the absence of evidence for the malware trying to reach out to other internal network addresses suggest?
-The absence of such evidence suggests that the malware may not be attempting to self-propagate over the network like a worm, at least not in the ways monitored during the investigation.