Capturing and Analyzing Malicious Network Traffic

Sniffers are very important tools for analyzing and capturing all packets in real time. If you want to understand what Malware change on the network level here you can find some useful sniffing utilities:

Wireshark’s GUI

Fantastic packet analyzer tool for Windows, Linux, Mac OS X, and various other platforms, at first this tool is called Ethereal and changed the name by summer of 2006. Wireshark can perform deep inspection of hundreds of protocols, and export results as a binary pcap file, CSV, or XML. The sniffer can work not only on Ethernet, but also IEEE 802.11, PPP / HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI networks.

It also has powerful filtering capabilities. Recent versions of Wireshark added advanced mechanisms for the analysis of voice VoIP, as well as decrypting protocols such as IPsec, ISAKMP, Kerberos, SNMPv3, SSL / TLS, WEP, and WPA/WPA2. Decrypted real time traffic and data compressed with gzip.

If you use windows than you just install the executable while on Linux you run the following:

# sudo apt-get install wireshark

Tshark

Tshark is the command line version of wireshark. You can install it like this:

# sudo apt-get install tshark

tshark can be used to dump network traffic into capture files for later processing. For this, we need to tell tshark which interface to listen to and which traffic to capture. This is an example.

#sudo tshark -f “udp port 1812″ -i eth0 -w /tmp/capture.cap

Tcpdump

Tcpdump used to be the standard sniffer for everyone until the release of Ethereal (Wireshark). it does not have a cool GUI-interface and protocol analyzer capabilities as wireshark or tshark but it can be a good addition to sniffers as it provides reliable, powerful packet capture and read-back capabilities.

Tcpdump can cause less security problems and are preferred by system administrators to monitor and solve many network problems we can find some known security scanner includes it in their software package such as nmap and other tools. If you need to install it, use the following command:

# sudo apt-get install tcpdump

Snort IDS

Snort will help you in alerting about any suspicious traffic sent to or from your target machines while the malware is running. This will alert you if the same or similar malware exists on the corporate network. The following commands create a simple Snort setup with the Emerging Threats signatures:

“# sudo apt-get install snort

# sudo wget –P /etc/snort/rules http://www.emergingthreats.net/rules/emerging-all.rules

# sudo echo ‘include $RULE_PATH/emerging-all.rules’ >>  /etc/snort/snort.conf” (1)

Emerging Threats is an open source community project that produces the fastest moving and most diverse Suricata and Snort Rulesets and firewall rules available.

For more about Snort project you can visit their home page where you find additional documentation and tutorials. Some of the ideas you might consider implementing into your testing environment are:

• Enabling and disabling signatures or entire rulesets as desired

• Configuring oinkmaster5 for keeping signatures updated

• Compiling Snort using the –with-mysql flags to write logs and alerts to a MySQL database.

• Configuring the pre-processors and different options in snort.conf

Reference:

(1)  Malware Analyst’s Cookbook: http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033

Share
  • Pingback: ArabSec

  • Pingback: ArabSec

  • Pingback: powertuxos

  • Pingback: Hotelrevmgmt.com

  • Pingback: Gabriele Caniglia

  • Pingback: Graphing Malicous URL Relationships | SecTechno

  • Malwarecookbook

    You clearly copied these commands from Malware Analyst’s Cookbook. I can tell because of this:

    # sudo wget –P /etc/snort/rules http://www.emergingthreats.net/rules/emerging-all.rules

    The “” after rules was just to indicate a line break so the command fits on the page of the book. If you actually type “” as you have shown, it won’t work correctly. 

  • Robble

     Why did you plagiarize from the Malware Cookbook for this post?