Our own [Anthony Lineberry] has written up his experience participating in the 2008 Malware Challenge as part of his work for Flexilis. The contest involved taking a piece of provided malware, doing a thorough analysis of its behavior, and reporting the results. This wasn’t just to test the chops of the researchers, but also to demonstrate to network/system administrators how they could get into malware analysis themselves.
[Anthony] gives a good overview of how he created his entry (a more detailed PDF is here). First, he unpacked the malware using Ollydbg. Packers are used to obfuscate the actual malware code so that it’s harder for antivirus to pick it up. After taking a good look at the assembly, he executed the code. He used Wireshark to monitor the network traffic and determine what URL the malware was trying to reach. He changed the hostname to point at an IRC server he controlled. Eventually he would be able to issue botnet control commands directly to the malware. We look forward to seeing what next year’s contest will bring.
Making a passive network tap can be an easy and inexpensive undertaking as shown in this Instructable. Passive monitoring or port mirroring is needed because most networks use switches which isolate the network traffic and this does not allow for the entire network to be monitored. This example uses a single tap, using multiple taps will provide access to the full-duplex data separately. By using two taps you are able to monitor inbound data that is passed through one tap, and outbound data that is passed through the other tap. Separate taps are desired because most sniffer software handles half-duplex traffic only and requires two network cards for full-duplex.
Continue reading “Passive network tap”
ISPs have recently become very aggressive towards their customers. They’ve been blocking or altering traffic to prevent you from using specific programs or protocols. Google’s Senior Policy Director recently stated that they’re developing tools to allow people to detect ISP interference. A couple other groups have been building tools as well: The Network Neutrality Squad just released the second beta of their Network Measurement Agent. The tool currently detects spoofed packets by monitoring the round trip time of the connection; early reset packets will have lower than average RTT. If you want to go more in depth, the EFF has published a guide for using Wireshark to do the detection. We’ve even heard rumors of people building tools to tunnel a session inside of one that looks completely different.