. You can create a fake network and quickly obtain network indicators, without actually connecting to the Internet. These indicators can include DNS names, IP addresses, and packet signatures.

To fake a network successfully, you must prevent the malware from realizing that it is executing in a virtualized environment. (See for a discussion on setting up virtual networks with VMware.) By combining the tools discussed here with a solid virtual machine network setup, you will greatly increase your chances of success.

), is the quickest way to see DNS requests made by malware. ApateDNS spoofs DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine. It responds to DNS requests with the DNS response set to an IP address you specify. ApateDNS can display the hexadecimal and ASCII results of all requests it receives.

, we redirect the DNS requests made by malware known as RShell. We see that the DNS information is requested for evil.malwar3.com and that request was made at 13:22:08 ❶.

. Using ApateDNS, we redirect the DNS request for evil.malwar3.com to our local host. Assuming that the malware is going out over port 80 (a common choice), we can use Netcat to listen for connections before executing the malware.

Malware frequently uses port 80 or 443 (HTTP or HTTPS traffic, respectively), because these ports are typically not blocked or monitored as outbound connections. shows an example.

Example 3-2. Netcat example listening on port 80

C:\> nc –l –p 80 ❶ POST /cq/frame.htm HTTP/1.1 Host: www.google.com ❷ User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; TWFsd2FyZUh1bnRlcg==; rv:1.38) Accept: text/html, application Accept-Language: en-US, en:q= Accept-Encoding: gzip, deflate Keep-Alive: 300 Content-Type: application/x-form-urlencoded Content-Length  Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.  Z:\Malware> ❸

The Netcat (nc) command ❶ shows the options required to listen on a port. The –l flag means listen, and –p (with a port number) specifies the port on which to listen. The malware connects to our Netcat listener because we’re using ApateDNS for redirection. As you can see, RShell is a reverse shell ❸, but it does not immediately provide the shell. The network connection first appears as an HTTP POST request to www.google.com ❷, fake POST data that RShell probably inserts to obfuscate its reverse shell, because network analysts frequently look only at the start of a session.

Назад: Comparing Registry Snapshots with Regshot

Дальше: Packet Sniffing with Wireshark

Отправить

sss

sss

×

Войти в систему

Войти с помощью соц. сетей: