Laboratory Report No: 3

Malware II ITX8060

Written by:
Predrag Tasevski - A106937 Mikheil Basilaia - A106936

Lecture: Toomas Lepik

05/12/11 Tallinn, Estonia

Table of Contents
INTRODUCTION....................................................................................................................3 ANALYSIS..............................................................................................................................3 INFECTION............................................................................................................................7 SUMMARY.............................................................................................................................9 WORKLOAD........................................................................................................................10

Laboratory Report No: 3

Page 3

INTRODUCTION
The main goal of laboratory report is to identify possible infection of malware into the wireshark capture file. The report should highlight the following aspects: Download https://sim.cert.ee/hw/download.pcap Find malware download in this pcap and extract malware or malwares find out where malware was downloaded from. What malware, malwares changes in system. C&C Names and address. Document the process also where You found hints and how exactly You did it (you need to show Your thought and communication process - please write a summary of it.) Write an incident report. Moreover, we have to consider the malware analysis report reminders, please refer to [1] or [2]. Additional, analysis it is stated into the Analysis section, where we explain the techniques, filter tools, gather knowledge, links, etc. Structure of the laboratory report is first to present analysis with details information. Malware and infections description are described. Finally the conclusion made of all analysis will be concise in summary section.

ANALYSIS
To be able to open and use the above file, firstly we have to download the wireshark tool. Where the main goal and purpose for wireshark application is to analysis a network protocols from captured file. Therefore please refer to the following link: http://www.wireshark.org/ Useful links for future use, please refer to [3], [4], [5] and [6]. On figure 1 it shows the Graphic Interface of Wireshark application with running filter: http protocol.

Predrag Tasevski, Mikheil Basilaia / Malware II - ITX8060

Laboratory Report No: 3

Page 4

Illustration 1: Wireshark application, filter: http protocol However, from the figure 1 we can see that there is a lot of traffic generated by the user. Therefore we have to apply and additional filter rules, which will help and guide for better and easy analysis. As we go through each generated http protocol traffic we can conclude that the user generated and has been visiting different source, where can be potential threat for the organization and personal use with a different malicious code. To be able to filter only the http protocols on port 80 with a header GET, we should use the following filter: http.request.method == "GET". Where this filter will narrow down the results that are presented into the captured file. In spite of the filter above it helps a lot, yet there is still a lot of traffic generated, consequently we have to utilize an additional filter. Another extremely useful wireshark option we used, was Analyze Follow TCP Stream which shows communication between IP addresses in more readable and useful way: shows DNS name for the IP and if file was downloaded gives filetype and name. We discovered that IP address 79.137.237.34 belongs to accord-component.ru. When we accessed the site with various web browsers, all of them showed that it contained malware.

GET /serial/index.php HTTP/1.1 Accept: */*

Predrag Tasevski, Mikheil Basilaia / Malware II - ITX8060

Laboratory Report No: 3 Accept-Encoding: gzip, deflate

Page 5

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Connection: Keep-Alive Host: accord-component.ru HTTP/1.1 200 OK Server: nginx Date: Wed, 30 Nov 2011 23:07:18 GMTContent-Type: text/html Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.3.2 Content-Encoding: gzip

Another suspicious IP was 86.63.168.101, where from this IP address brought us to domain name zumlelao.com, but it was un-accessible from browsers. Wireshark showed the User downloaded file 4.exe from zumlelao.com.
GET /load.php?file=0 HTTP/1.1Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: et User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Accept-Encoding: gzip, deflate Host: zumlelao.com Connection: Keep-AliveHTTP/1.1 200 OK Date: Wed, 30 Nov 2011 21:55:02 GMTServer: Apache/2 X-Powered-By: PHP/5.2.17 Cache-Control: public Content-Disposition: attachment; filename=4.exe Content-Transfer-Encoding: binary Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 10666 Keep-Alive: timeout=1, max=100

Predrag Tasevski, Mikheil Basilaia / Malware II - ITX8060

Laboratory Report No: 3 Connection: Keep-Alive Content-Type: application/octet-stream

Page 6

Additionally, we can always use an Find function, which will help as to identify certain traffic or site. Figure 2 demonstrated the usage of the Find function, accessible from menu Edit Find.

Illustration 2: Wireshark, Find function Other IP addresses that were generated/extracted first the ones with malware detected:79.137.237.34 -accord-component.ru; 86.63.168.101 zumlelao.com. Other IP's are: 173.194.32.32 (33,34,41,50,51,52,58,59,60,63), 192.168.123.1, 193.184.164.159 (174,176,185), 193.40.252.83, 193.88.71.156, 194.126.108.69 (70), 194.126.124.136, 194.204.14.49, 195.222.15.74, 199.7.48.190, 209.85.173.95, 123.168.24.204 (209,221,225,229,235), 79.137.237.34, 80.252.91.41 (61), 69.171.228.11, 23.32.89.55, 23.32.99.172, 216.34.181.45 (48), 213.168.24.26, 90.190.148.34 (40), 86.63.168.101, 82.98.58.48, 81.19.238.61. If we run or analysis the above domain names into the google we will automatic indicated that the zumlelao.com it is an before reported as a malware site and the second too. Therefore the analysis and the infection of details of malware are highlighted into the next section.

Predrag Tasevski, Mikheil Basilaia / Malware II - ITX8060

Laboratory Report No: 3

Page 7

INFECTION
Indeed, the above captured file presents traffic generated by the user, that can be threat for the organization, home user, etc. As from the previous section demonstrates how to identify if the generated traffic has infected or has the user visit the malicious code sites. This section identifies the malicious code and displays their details. Moreover, the zumlelao.com host it is reported previous as malicious code site. For this purpose we gather the help from the following link: http://sopport.clean-mx.de/. Here is the reported malicious, suspicious code from the above host in the table bellow. URL Virus name IP Initial Link

http://zumlelao.com/l 0/40 oad.php? (0.0%) unknown_htm file=grabbers http://zumlelao.com/2 13/40 .exe (32.5%) TR/TDss.77.1

86.63.168.101 http://support.cleanmx.de/clean-mx/viruses? id=1108452 86.63.168.101 http://support.cleanmx.de/clean-mx/viruses? id=1108438

http://zumlelao.com/l 20/40 86.63.168.10 http://support.cleanoad.php?file=0 (50%) TR/Crypt.XPACK 1 mx.de/clean-mx/viruses? .Gen3 id=1108442 Furthermore, figure 3 is proving the analysis made through the wireshark, were one of the above links has been access, for more details clink on the above link and points in a figure 3:A and B.

Predrag Tasevski, Mikheil Basilaia / Malware II - ITX8060

Laboratory Report No: 3

Page 8

Illustration 3: Prove of generating traffic of following malware link: http://zumlelao.com/load.php? file=0 were B and A are proving the links and the IP initiation. Moreover, to get the file itself for analysis, we used Netresec's Network Miner 2.1 http://www.netresec.com/?page=NetworkMiner. In Files menu, it shows all packets as files. We uploaded 4.exe.octet-stream to virustotal.com - 30 Antivirus software identified as malware 1323098398 MD5 : 94a7f6430510fe7314c1e746bad79bf4 SHA1 : 69ab04c9c586a8cf07a00665e160a48260a2465e SHA256: d6ee8736cd2eae8571b193b28b59dff33e9607237f78b0888d69c70f241bb04b F-Secure identified malware as Trojan.Generic.KD.438472 Trojan.Generic.KD malwares usually are classified as Backdoors. It infects executable files in the system and its main goal is to make backdoor into the system. It changes registry. In some cases it can put payload on the infected system, slow it down and make internet browsing difficult and time consuming. Aim of the malware can be stealing information or gaining partial/full access of the victim's system. On the other hand, Trojan.Generic.KD malwares are difficult to remove from infected computers. Virustotal link: http://www.virustotal.com/file-scan/report.html? id=d6ee8736cd2eae8571b193b28b59dff33e9607237f78b0888d69c70f241bb04b-

Predrag Tasevski, Mikheil Basilaia / Malware II - ITX8060

Laboratory Report No: 3

Page 9

From VirusTotal analysis we can see that various antivirus software can discover and identify Trojan.Generic.KD.438472. Therefore one can remove malware by downloading antivirus software provided by F-Secure, Comodo, Microsoft, Sophos, Symantec, DrWeb, etc. Here is an example from Dr.Web how to delete Trojan.Generic.KD malware http://www.drwebhk.com/en/virus_removal/694829/Trojan.Generic.KD.53986.html For our case we downloaded Dr.Web CureIt (free edition for home PCs, which discovered the malware and removed it) - http://www.freedrweb.com/download+cureit/?nc=t&lng=en Before continuing to disinfect the system, please read and understand the massage delivered through this forum: http://forums.majorgeeks.com/showthread.php?t=35407.

SUMMARY
Nowadays malicious codes, infection of the system is one of the highest vector of production work everyday of the organizations. Therefore, different approaches, advance analysis, troubleshooting, etc. has to be applicable and stated in every organization. Leaking of data, information, access of network (internal and external) can be very harmful for organization and even the home usage of computers. Therefore, this laboratory report main aim is to provide the reader to be able to conduct advance analysis of system and their identification of infection within the wireshark network analysis tool. From the above sections in Analysis and in the Infection we have to follow the steps and links that will help us for a further work. Meanwhile, the captured generated traffic from the distributed file has indeed indicated that the system it is infected. Were as an prove we demonstrate an screen-shot, figure 3, that one of the infected link has been visited. Likewise, the system of this user is infected. Thus infection identified name is: TR/Crypt.XPACK.Gen3, where we do supply and the disinfecting stepwise solution with the above link. Closing, as there are many different ways, tools, process for analysing the malicious code behaviours in system this laboratory report is supplying the reader with advance and stepwise solution for identifying the infection of the system within advance network analysis wireshark application.

Predrag Tasevski, Mikheil Basilaia / Malware II - ITX8060

Laboratory Report No: 3

Page 10

WORKLOAD
We made analysis on the virtual Windows 7 machine. For virtualization we used VirtualBox. During analysis each of group member did the same analysis to crossreference the results. We basically used the following tools: Wireshark, Network Miner and virustotal.com.

Bibliography
1: Lenny Zeltser, Reverse-Engineering: Malware Analysis Tools and Techniques Training, 2011, http://zeltser.com/reverse-malware/ 2: Lenny Zeltser, Malware analysis report reminders, 2011, http://zeltser.com/reversemalware/malware-analysis-report-template.mm 3: Kevin, Malware Analysis & Malware Reverse Engineering, NA, http://technologyflow.com/articles/windows-malware-analysis/ 4: Chris Greer, Top 10 Wireshark Filters, April 2010, http://www.lovemytool.com/blog/2010/04/top-10-wireshark-filters-by-chris-greer.html 5: Russ McRe, Security Analysis with Wireshar, November 2006 6: Chief Banana, Using Wireshark filters for capturing malware, Marh 2011, http://securitybananas.com/?p=529

Illustration Index
Illustration 1: Wireshark application, filter: http protocol....................................................................4 Illustration 2: Wireshark, Find function...............................................................................................6 Illustration 3: Prove of generating traffic of following malware link: http://zumlelao.com/load.php? file=0 were B and A are proving the links and the IP initiation. .........................................................8

Predrag Tasevski, Mikheil Basilaia / Malware II - ITX8060