Scribd
Upload
1K views6 pages

Malware Traffic Analysis with Wireshark

The document outlines a malware traffic analysis experiment using Wireshark to identify signs of malware communication and analyze captured network traffic. It details the process of finding infected file hashes, checking their maliciousness via VirusTotal, and retrieving host information such as IP and MAC addresses. The importance of network traffic analysis is emphasized as a necessary measure to detect threats that traditional antivirus software may miss.

Uploaded by

Legendary gamers
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views6 pages

Malware Traffic Analysis with Wireshark

The document outlines a malware traffic analysis experiment using Wireshark to identify signs of malware communication and analyze captured network traffic. It details the process of finding infected file hashes, checking their maliciousness via VirusTotal, and retrieving host information such as IP and MAC addresses. The importance of network traffic analysis is emphasized as a necessary measure to detect threats that traditional antivirus software may miss.

Uploaded by

Legendary gamers
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

EXPERIMENT – 3

Aim: Malware Traffic Analysis: Analyze captured traffic to identify signs of


malware communication, such as command-and-control traffic or data
infiltration.

Description: Malware Traffic Analysis:


Malware traffic analysis refers to the process of identifying, analyzing, and
understanding the behavior of malicious network traffic generated by malware or
other cyber threats. Security professionals use this technique to examine network
packets, protocols, and other metadata in order to identify patterns of suspicious or
malicious activity. By doing so, they can detect and isolate threats before they cause
harm, allowing for a swift response and mitigation of potential breaches. This
proactive approach helps safeguard sensitive data, systems, and networks from
cyberattacks.

For example, the [Link] website, which provides packet


capture (pcap) files and malware samples for analysis. The site offers training
exercises and tutorials to help security professionals enhance their skills in
analyzing network traffic. Additionally, tools like Wireshark are commonly used for
analyzing malware traffic.

Wireshark is a popular tool for troubleshooting network related issues. When a


host is infected or otherwise compromised, security professionals need to quickly
review packet captures (pcaps) of suspicious network traffic and these packet
captures can be used to identify affected hosts and users. Collection of Indicators
of compromise (IOCs) help organizations to detect and prevent attack. In this
section it is explained that how to Collect following malware using Wireshark.
 File Hashes
 Host IP address
 Domain Name
 Host Name
 MAC address of host

Wireshark can be used in two ways one is to perform local capture and other is to
analyze packet captures already available. There are many sites that provide pcap
for analysis. we have used pcap from Traffic analysis exercise Pizza Bender.

(I) Finding the Hash of infected file

The fundamental goal of web analytics is to collect and analyze data related to web traffic
and usage patterns. The data mainly comes from four sources:

 Direct HTTP request data: directly comes from HTTP request messages
(HTTP request headers).
 Network level and server generated data associated with HTTP requests:
not part of an HTTP request, but it is required for successful request
transmissions - for example, IP address of a requester.
 Application-level data sent with HTTP requests: generated and processed
by application-level programs (such as JavaScript, PHP, and [Link]),
including session and referrals. These are usually captured by internal logs
rather than public web analytics services.

 External data: can be combined with on-site data to help augment the
website behavior data described above and interpret web usage. For
example, IP addresses are usually associated with Geographic regions and
internet service providers, e-mail open and click-through rates, direct mail
campaign data, sales and lead history, or other data types as needed. For
Collecting hash of infected file following steps has been followed
(i) apply filter [Link] in Wireshark .
(ii) from the results of step(i) get the affected files from http objects.
(iii) Save the affected file (.in this example found file is a .php file).
(iv) Get Hash of the file saved.

In this example Obtained Hash of infected file using wireshark is:


a52a1e151bf4b993efcff87b3780d731 Screenshot of above process is presented in
fig1.

Fig 1 finding hash of an infected file using Wireshark

(II) Checking whether the file is infected or not:


By applying filter [Link] a file and its hash can be found in(I). In next step it has
to be checked whether the file is malicious or not. For this obtained file hashes has
been checked at [Link]. VirusTotal is a website created by the Spanish
security company Hispasec Sistemas. Launched in June 2004. VirusTotal
aggregates many antivirus products and online scan engines to check for viruses
that the user's own antivirus may have missed, or to verify against any false
positives. Files up to 650 MB can be uploaded to the website, or sent via email (max.
32MB).
Anti-virus software vendors can receive copies of files that were flagged by other
scans but passed by their own engine, to help improve their software and, by
extension, VirusTotal's own capability. Suspected URL‟s can be scanned and search
through the VirusTotal dataset. VirusTotal for dynamic analysis of malware uses the
Cuckoo sandbox.

After scanning obtained file hashes on virustotal it has been found that file hashes
are infected results are depicted in fig2.

Fig.2 Scanning results on


[Link]

(III) Finding the host name, Domain name, IP address and MAC address:
Any host generating traffic within the network should have three identifiers: a MAC
address, an IP address, and a hostname. In most cases, alerts for suspicious
activity are based on IP addresses. If the access is available to full packet capture of
the network traffic, a pcap retrieved on an internal IP address should reveal an
associated MAC address and hostname. Host information can be found using
Wireshark by applying filter on two types of activities: Dynamic Host Configuration
Protocol (DHCP) or NetBIOS Name Service (NBNS).
DHCP traffic can help identify hosts for almost any type of computer connected to the
network. DHCP provides an automated way to distribute and update IP addresses
and other configuration information on a network [11]. NBNS traffic is generated
primarily by computers running Microsoft Windows or Apple hosts running MacOS.
Depending on how frequently a DHCP lease is renewed, DHCP traffic might not be
there in pcap. Fortunately, in this case NBNS traffic can be used to identify
hostnames for computers running Microsoft Windows or Apple hosts running MacOS.
In experiment presented in this paper host details have been found from NBNS
traffic steps for obtaining host name, domain name, IP address and MAC address
are as follows

 apply NBNS as filter as depicted in fig3


 for given source IP obtained the host :DESKTOP-OF4FE8A<20> and
 Domain Name can be found under hypertext transfer protocol in second
window of Wireshark as depicted in fig4.
 Obtained Domain is [Link].
 Ger IP address of the host under Internet protocol in same window
 Obtained IP address of host is [Link].
 IP address of infected machine is [Link]
 MAC address of infected machine is [Link] as depicted in fig5.

Fig3. Finding hostname from NBNS


traffic using Wireshark
Fig. 4 finding domain address using Wireshark

Fig.5 finding IP address of infected Host

In section 3 procedure for finding answer for following questions using Wireshark
has been explained

1. What are the infected file downloaded and their Hashes?


2. What is URL Domain of infected site?
3. What is the IP address of infected Machine?
4. What is the Host Name of infected Machine?

5. What is the MAC address of infected Machine?

The first part infected file hashes can be blocked inside network using virus guard.
Access to the infected sites and their addresses can be blocked. Investigation on
infected PC whose MAC address can be made. infected files can be cleaned. In this
way Wireshark can be used to protect System.
Millions of new virus signatures are released yearly, and an antivirus can only detect
viruses for known valid signatures and the unknown signatures escape the detection.
Today’s networks are facing threats more than virus, such as malware, denial of
service, port scanning covert channels, and information theft. however, antivirus
software can only take very limited action on these various threats. Hackers can also
target the antivirus software running on a machine, leading to multiple vulnerabilities
of the system without the awareness of the user.
For these different reasons, network traffic analysis at the packet level is necessary,
and it can identify many different threats and attacks that could remain unnoticed by
antivirus software. In the past, packet analyzers were very expensive and patented.
Wireshark has changed all that. Wireshark is one of the best opensource packet
analyzers available today, and it displays packet data as detailed as possible.

Common questions

Powered by AI

Antivirus software is limited by its reliance on known virus signatures, leaving it unable to detect viruses with unknown signatures and complex threats such as malware, port scanning, and covert channels . Malware traffic analysis overcomes these limitations by analyzing network traffic at the packet level to identify suspicious patterns and behaviors, which helps detect a broader range of threats that may not have identifiable signatures .

Malware traffic analysis focuses on identifying and understanding malicious network traffic patterns, offering a proactive approach to cybersecurity by examining packets, protocols, and metadata to detect threats before they cause harm . Traditional virus detection methods rely on antivirus software that identifies known virus signatures. However, these methods can miss unknown signatures and fail to detect complex threats like malware, denial of service, or information theft, which can be identified through network traffic analysis .

Wireshark differs from traditional packet analyzers by being open-source and widely accessible, allowing detailed visualization of packet data. Traditional analyzers were often expensive and patented, limiting their accessibility. Wireshark democratizes packet analysis, enabling proactive detection of malware and other threats at the network level, beyond the capabilities of traditional antivirus solutions .

Wireshark can identify host details by analyzing DHCP or NBNS traffic. Applying an NBNS filter can reveal the host name, domain name, IP address, and MAC address associated with a suspicious activity. For instance, the domain name can be observed under the Hypertext Transfer Protocol, and the IP address under the Internet Protocol field in the packet capture .

Network packet level analysis is crucial for identifying threats that antivirus software might miss. It reveals threats such as covert channels, port scanning, and information theft by examining patterns of network traffic, not just specific virus signatures. This method allows for the detection and isolation of threats before they can cause harm, making it a more comprehensive approach compared to the reactive nature of antivirus software .

After obtaining a file's hash using Wireshark, VirusTotal can be used to verify its malicious nature. VirusTotal aggregates data from various antivirus products and scan engines, checking files against known viruses and identifying false positives. It allows for dynamic malware analysis using the Cuckoo sandbox, confirming whether the identified files are infected .

To collect the hash of an infected file using Wireshark, apply the filter 'http.request' to identify suspicious HTTP requests. Retrieve the affected files from HTTP objects, save the file (e.g., a .php file in this example), and subsequently generate the hash of the saved file .

Upon detecting command-and-control traffic, a security professional should immediately isolate the affected hosts to prevent further malicious communication. They should analyze the captured traffic to identify the source and destination of the traffic, use tools like Wireshark to track all associated activities, collect IOCs, and block relevant IP addresses and domain names. Post-mitigation, thorough network security audits and monitoring should be implemented to prevent recurrence .

Blocking access to infected sites prevents further data breaches and malware spread within the network. Additional measures include investigating compromised machines, cleaning infected files, and possibly updating security protocols to prevent future attacks. Collecting IOCs such as file hashes, domain names, and IP addresses can help in refining these security measures .

Analyzing pcap files from exercises like Pizza Bender allows security professionals to practice identifying suspicious network patterns and extracting relevant IOCs in a controlled environment. These exercises improve their skills in using tools like Wireshark, enhance their understanding of malware behavior, and prepare them to efficiently respond to real-world cyber threats .

You might also like