EXPERIMENT – 3

Aim: Malware Traffic Analysis: Analyze captured traffic to identify signs of

malware communication, such as command-and-control traffic or data
infiltration.

Description: Malware Traffic Analysis:

Malware traffic analysis refers to the process of identifying, analyzing, and
understanding the behavior of malicious network traffic generated by malware or
other cyber threats. Security professionals use this technique to examine network
packets, protocols, and other metadata in order to identify patterns of suspicious or
malicious activity. By doing so, they can detect and isolate threats before they cause
harm, allowing for a swift response and mitigation of potential breaches. This
proactive approach helps safeguard sensitive data, systems, and networks from
cyberattacks.

For example, the malware-traffic-analysis.net website, which provides packet

capture (pcap) files and malware samples for analysis. The site offers training
exercises and tutorials to help security professionals enhance their skills in
analyzing network traffic. Additionally, tools like Wireshark are commonly used for
analyzing malware traffic.

Wireshark is a popular tool for troubleshooting network related issues. When a

host is infected or otherwise compromised, security professionals need to quickly
review packet captures (pcaps) of suspicious network traffic and these packet
captures can be used to identify affected hosts and users. Collection of Indicators
of compromise (IOCs) help organizations to detect and prevent attack. In this
section it is explained that how to Collect following malware using Wireshark.
 File Hashes
 Host IP address
 Domain Name
 Host Name
 MAC address of host

Wireshark can be used in two ways one is to perform local capture and other is to
analyze packet captures already available. There are many sites that provide pcap
for analysis. we have used pcap from Traffic analysis exercise Pizza Bender.

(I) Finding the Hash of infected file

The fundamental goal of web analytics is to collect and analyze data related to web traffic
and usage patterns. The data mainly comes from four sources:

 Direct HTTP request data: directly comes from HTTP request messages
(HTTP request headers).
 Network level and server generated data associated with HTTP requests:
 not part of an HTTP request, but it is required for successful request
transmissions - for example, IP address of a requester.
 Application-level data sent with HTTP requests: generated and
processed by application-level programs (such as JavaScript, PHP, and
ASP.Net), including session and referrals. These are usually captured by
internal logs rather than public web analytics services.

 External data: can be combined with on-site data to help augment the
website behavior data described above and interpret web usage. For
example, IP addresses are usually associated with Geographic regions
and internet service providers, e-mail open and click-through rates, direct
mail campaign data, sales and lead history, or other data types as
needed. For Collecting hash of infected file following steps has been
followed
(i) apply filter http.request in Wireshark .
(ii) from the results of step(i) get the affected files from http objects.
(iii) Save the affected file (.in this example found file is a .php file).
(iv) Get Hash of the file saved.

In this example Obtained Hash of infected file using wireshark is:

a52a1e151bf4b993efcff87b3780d731 Screenshot of above process is presented in
fig1.

Fig 1 finding hash of an infected file using Wireshark

(II) Checking whether the file is infected ornot:

By applying filter http.request a file and its hash can be found in(I). In next step it
has to be checked whether the file is malicious or not. For this obtained file hashes
has been checked at virustotal.com. VirusTotal is a website created by the
Spanish security company Hispasec Sistemas. Launched in June 2004. VirusTotal
aggregates many antivirus products and online scan engines to check for
viruses
that the user's own antivirus may have missed, or to verify against any false
positives. Files up to 650 MB can be uploaded to the website, or sent via email (max.
32MB).

Anti-virus software vendors can receive copies of files that were flagged by other
scans but passed by their own engine, to help improve their software and, by
extension, VirusTotal's own capability. Suspected URL‟s can be scanned and search
through the VirusTotal dataset. VirusTotal for dynamic analysis of malware uses the
Cuckoo sandbox.

After scanning obtained file hashes on virustotal it has been found that file hashes
are infected results are depicted in fig2.

Fig.2 Scanning results on

virustotal.com

(III) Finding the host name, Domain name, IPaddress and MAC address:
Any host generating traffic within the network should have three identifiers: a MAC
address, an IP address, and a hostname. In most cases, alerts for suspicious
activity are based on IP addresses. If the access is available to full packet capture of
the network traffic, a pcap retrieved on an internal IP address should reveal an
associated MAC address and hostname. Host information can be found using
Wireshark by applying filter on two types of activities: Dynamic Host Configuration
Protocol (DHCP) or NetBIOS Name Service (NBNS).

DHCP traffic can help identify hosts for almost any type of computer connected to the
network. DHCP provides an automated way to distribute and update IP addresses
and other configuration information on a network [11]. NBNS traffic is generated
primarily by computers running Microsoft Windows or Apple hosts running MacOS.
Depending on how frequently a DHCP lease is renewed, DHCP traffic might not be
there in pcap. Fortunately, in this case NBNS traffic can be used to identify
hostnames for computers running Microsoft Windows or Apple hosts running MacOS.

In experiment presented in this paper host details have been found from NBNS
traffic steps for obtaining host name, domain name, IP address and MAC address
are as follows

 apply NBNS as filter as depicted in fig3

 for given source IP obtained the host :DESKTOP-OF4FE8A<20> and
 Domain Name can be found under hypertext transfer protocol in second
window of Wireshark as depicted in fig4.
 Obtained Domain is ncznw6a.com.
 Ger IP address of the host under Internet protocol in same window
 Obtained IP address of host is 10.8.21.163.
 IP address of infected machine is 45.12.4.190
 MAC address of infected machine is 10:c3:7b:0a:f2:85 as depicted in fig5.

Fig3. Finding hostname from NBNS

traffic using Wireshark
 Fig. 4 finding domain address using Wireshark

Fig.5 finding IP address of infected Host

In section 3 procedure for finding answer for following questions using Wireshark
has been explained

1. What are the infected file downloaded and their Hashes?

2. What is URL Domain of infected site?
3. What is the IP address of infected Machine?
4. What is the Host Name of infected Machine?

5. What is the MAC address of infected Machine?

The first part infected file hashes can be blocked inside network using virus guard.
Access to the infected sites and their addresses can be blocked. Investigation on
infected PC whose MAC address can be made. infected files can be cleaned. In this
way Wireshark can be used to protect System.
Millions of new virus signatures are released yearly, and an antivirus can only detect
viruses for known valid signatures and the unknown signatures escape the detection.
Today’s networks are facing threats more than virus, such as malware, denial of
service, port scanning covert channels, and information theft. however, antivirus
software can only take very limited action on these various threats. Hackers can also
target the antivirus software running on a machine, leading to multiple vulnerabilities
of the system without the awareness of the user.
For these different reasons, network traffic analysis at the packet level is necessary,
and it can identify many different threats and attacks that could remain unnoticed by
antivirus software. In the past, packet analyzers were very expensive and patented.
Wireshark has changed all that. Wireshark is one of the best opensource packet
analyzers available today, and it displays packet data as detailed as possible.