Bots installed through IM and packet capture howto
We had a post from a Storm Center reader that noticed a version of W32.Spybot.Worm being installed via MSN Messenger. A handful of users reported that they were receiving a file called WebCam_012.pif. The users claimed that that the file executed without intervention (the poster added that users sometimes disavow any involvement).
The network was "protected" by Symantec real-time protection (Corp version 9) which in its configuration did not stop the worm from executing in memory. The worm then spread through a variety of Windows methods (exploits and shares). The malware installs itself in %SYSTEMROOT%\system32\iexplore.exe
This begs a few questions:
What solutions have users found work in this situation (malware running actively in memory).
What solutions work in blocking file transfer during instant messanger?
If I recall Ed Skoudis' excellent article in Infosecmag regarding Anti-virus tools, Symantec's antivirus had to be configured to scan memory for malware, so that helps address one problem.
Instant messenger has long been the bane of many a security admin. Ive always favored an Instant Messanger proxy server, ala Jabber or similar. This atleast allows me to monitor the traffic, as well as limit its points of entry/exit.
In diaries past, we have routinely asked readers to submit packets (everyone can repeat Don Smith's trademarked slogan: "Got Packets?"). A reader requested that we put together some guidelines for gathering/submitting packets to the Storm Center. I have compiled a simple set of guidelines as a starting point. Please feel free to comment, add, augment via the usual contact form.
tcpdump -nns 1514 -w filename
would be the simplest form. Note that the above will capture all traffic that that interface can see.
tcpdump -nns 1514 -w filename 'protocol and port insert_port_number'
tcpdump -nns 1514 -w weird_traffic.cap 'dst host 10.10.0.10 and tcp and port 42'
would capture more specific traffic.
If 'anonymizing' your IP address space is important, Snort can do this with with the -B and -h switches like so:
snort -h <insert_home_net/mask> -B <insert_what_to_change_to/mask> -r in.cap -bl out.cap
snort -h 10.10.0.0/16 -B 192.168.0.0/16 -r in.cap -bl out.cap
In the above example, all of the 10.10 addresses will be converted to 192.168 addresses.
Note: snort will not correct the checksum's for the anonymized packets.
On Linux, netdude ( netdude.sourceforge.net ) is a GUI packet editor that will not only change the packets, but also fix the checksums.
Mike Poor :s/oversomewhere/\@/g mikeoversomewhereintelguardians.com
Handler on Duty
Jan 21st 2005
1 decade ago