Scribd
Upload
161 views

Lab 10 VirusTotal - Wireshark (15 Points)

This document provides instructions for a project analyzing malware traffic using VirusTotal and Wireshark. The project uses a real malware sample that could infect unpatched Windows machines. Students are advised to use a virtual machine rather than their regular computer. The document describes downloading a pcap file from a website, analyzing it in VirusTotal, and examining user agents, PHP requests, and downloaded files in Wireshark to identify suspicious activity in the network traffic related to the malware sample.

Uploaded by

Nguyen Bao An (K13HCM)
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
161 views

Lab 10 VirusTotal - Wireshark (15 Points)

This document provides instructions for a project analyzing malware traffic using VirusTotal and Wireshark. The project uses a real malware sample that could infect unpatched Windows machines. Students are advised to use a virtual machine rather than their regular computer. The document describes downloading a pcap file from a website, analyzing it in VirusTotal, and examining user agents, PHP requests, and downloaded files in Wireshark to identify suspicious activity in the network traffic related to the malware sample.

Uploaded by

Nguyen Bao An (K13HCM)
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Project 9: VirusTotal & Wireshark (15 Points)

What You Need for This Project


The Windows Server 2016 machine, which you prepared in previous projects, or a Mac or Linux machine. be different.

CAUTION
This project uses traffic captured from a real malware attack. It may set off virus scanners and possibly even infect old, unpatched Windows machines.

Don't do this project on a real Windows machine in normal use. Use your Windows virtual machine instead.

Purpose
To practice these skills, which are essential for a security analyst:

Basic hygiene when working with malware


Obtaining and extracting malware samples from the Web
Using VirusTotal
Understanding Snort and Suricata alerts
Extracting downloaded files from PCAP files with Wirehark

Choosing a Machine to Use


When working with malware, use a virtual machine with no antivirus software, and one that isn't used for other tasks such as shopping or emailing.

In this case we are using a fairly old Windows malware sample, so it's OK to use a Mac or Linux machine.

Don't use a regular Windows machine for this project, especially one used for other work, such as company machine at a workplace. However, using Windows as the host
for a virtual machine is fine.

Downloading the Malware Traffic Sample


On your analysis machine, in a Web browser, go to:

https://www.malware-traffic-analysis.net/2014/12/15/index.html

On this page, click the 2014-12-15-traffic-analysis-exercise.pcap.zip link, as shown below.

Unzipping the Sample


Double-click the 2014-12-15-traffic-analysis-exercise.pcap.zip file. It is a password-protected Zip file. Use this password, which is standard in the malware analysis
community:

infected

Using VirusTotal
In a Web browser, go to

https://www.virustotal.com/

On the File tab, click the "Choose file" button, as shown below.
Navigate to the 2014-12-15-traffic-analysis-exercise.pcap file you unzipped and double-click it.

VirusTotal reports that this file triggers Snort and Suricata alerts, as shown below.

In VirusTotal, click the Details tab.

Scroll down to the "Snort Alerts" and "Suricata Alerts" section.

Expand the last three sections, as shown below.


Several suspicious things were detected:

ET MALWARE User-Agent (Mozilla)


ET CURRENT_EVENTS Malvertising Redirection to Exploit Kit
ET WEB_SERVER PHP Possible http Remote File Inclusion
GPL WEB_CLIENT web bug 0x0 gif

We'll analyze them further below.

Examining User-Agent Strings with Wireshark


If you don't already have Wireshark on your analysis machine, get it here:

https://www.wireshark.org/

Launch Wireshark.

From the Wireshark menu bar, click File, Open.

Navigate to the 2014-12-15-traffic-analysis-exercise.pcap file you unzipped and double-click it.

In Wirehark, at the top, ehter this filter into the filter bar:

http

Press Enter to filter the traffic.

In the middle pane, expand "Hypertext Transfer Protocol".

Right-click the User-Agent line and click "Apply as Column", as shown below.
A column titled "User-Agent" appears in the packet list. Click the "User-Agent" column header to sort the rows, and scroll through them.

Most of the User-Agent strings are long or empty, which is normal, but three of them have the strange value of Mozilla.

Click one of the Mozilla lines and examine the HTTP request in the middle pane, as shown below.

The URL is

epzqy.iphaeba.eu:22780

This is a suspicious URL: the domain name and hostname look like random letters, and the port is very unusual.

Look at the "Full request URI" of these packets. The paths and parameters are random words, like "peeve", "delight", and "scholar". This looks like some sort of
obfuscated data, possibly malware beacons.

Examining PHP Requests with Wireshark


In Wireshark, in the packet list, right-click the User-Agent header and click "Remove This Column", as shown below.
Adjust the filter string to this value:

http && frame contains php

Press Enter to see only HTTP requests for PHP pages.

The only strange PHP request is the Facebook Like click shown below. This looks like a false positive--harmless traffic that triggered Suricata because of its structure.

Retrieving Downloaded files with Wireshark


From the Wireshark menu bar, click File, "Export Objects", HTTP..., as shown below.
Click "Save All", as shown below.

Navigate to the Downloads, folder, create a new folder, and save the files inside it.

In your operating system's file explorer, open the folder you just created and examine the files.

None of these are malware--the actual malware in that file was transmitted witn encryption and Wireshark can't extract it.

However, just to record your success, find the charte_02.jpg image and double-click it to see the words on it.

The words are covered by a green rectangle in the image shown below.

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
Words:
CCSF Student

Non-CCSF Student

Posted 9-17-18

You might also like