Hi.
Anyone knows of tools used to find malware traces in PCap files?
Anyone knows of tools used to find malware traces in PCap files?
A forum for reverse engineering, OS internals and malware analysis
what do you mean by "traces" ? is it the malware it self or is it its stream to the C&C ?
hanan wrote:what do you mean by "traces" ? is it the malware it self or is it its stream to the C&C ?I mean signatures, like an antivirus scanner for PCaps.
As far as i know there is no free tool for this kind of automated task in a reliable and exhaustive way.
Network pattern/streams detection rely mostly on IDS/IPS, not on AV.
There is a Wireshark pluging called WireshAv based on Snort/ClamAv database that might be interesting, but i have not experimented it as Wireschnork pluging appears for me more needed https://www.honeynet.org/node/716
https://www.honeynet.org/node/790
http://vrt-blog.snort.org/2011/02/black ... ining.html
As a pcap forensic Cisco tool, NFEX or Network File Extraction is based on TCPXtract, and provides more investigations features on the TCP wildely used protocol.
With the ability to query ClamAv datatabase for malware patterns.
http://blogs.cisco.com/security/network ... e-carving/
The main problem is the ClamAV database, which is less accurate than other private av editors.
It is up to you to contact and colaborate with the devs.
rgds
Network pattern/streams detection rely mostly on IDS/IPS, not on AV.
There is a Wireshark pluging called WireshAv based on Snort/ClamAv database that might be interesting, but i have not experimented it as Wireschnork pluging appears for me more needed https://www.honeynet.org/node/716
https://www.honeynet.org/node/790
http://vrt-blog.snort.org/2011/02/black ... ining.html
As a pcap forensic Cisco tool, NFEX or Network File Extraction is based on TCPXtract, and provides more investigations features on the TCP wildely used protocol.
With the ability to query ClamAv datatabase for malware patterns.
http://blogs.cisco.com/security/network ... e-carving/
The main problem is the ClamAV database, which is less accurate than other private av editors.
It is up to you to contact and colaborate with the devs.
rgds
Security? Yeah But Well: http://www.ouaismaisbon.ch/ )
Thanks for your detailed reply kareldjag/michk, but I was thinking in bot/malware detections through the search of C&C command traces and similars.
I already have covered the question of scanning transmitted files with AVs.
I already have covered the question of scanning transmitted files with AVs.
IMO not really possible - most HTTP Bots use valid User-Agents, don't make any errors in the HTTP Protocol (Idiots as always not counted) - they use a insuspicious protocol.
Detecting traffic based on GET or POST Parameters will probably lead to many false positives.
Code: Select all
[23.10.2012 14:08:14:937]
GET /918679543EB52B2FECC724D9A550FA329E536B2058EAA4E752E12FEBC8CED351B1654C05E37573C298B2045D30245C89BC1400FCA2C30CFF5B9146A31B1D8EBA7EADCEFC63 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 50.22.136.150:8080
[23.10.2012 14:08:16:015]
HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Tue, 23 Oct 2012 12:08:36 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.4.4-7
Vary: Accept-Encoding
Content-Length: 63
c=rdl&u=/get/passf_v4_2.dll.crp&a=0&k=00000d4c&n=passf_v4_2.dll
Detecting traffic based on GET or POST Parameters will probably lead to many false positives.
wacked2 wrote:IMO not really possible - most HTTP Bots use valid User-Agents, don't make any errors in the HTTP Protocol (Idiots as always not counted) - they use a insuspicious protocol.You are right in case of unknown malware, but what about known downloader that access to download a specific file (using POST and GET) ?