Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Internet Storm Center Diary 2005-01-20 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bots installed through IM and Packet Capture howto

Published: 2005-01-20
Last Updated: 2005-01-21 08:17:19 UTC
by Mike Poor (Version: 1)
0 comment(s)
Bots installed through IM and packet capture howto

We had a post from a Storm Center reader that noticed a version of W32.Spybot.Worm being installed via MSN Messenger. A handful of users reported that they were receiving a file called WebCam_012.pif. The users claimed that that the file executed without intervention (the poster added that users sometimes disavow any involvement).

The network was "protected" by Symantec real-time protection (Corp version 9) which in its configuration did not stop the worm from executing in memory. The worm then spread through a variety of Windows methods (exploits and shares). The malware installs itself in %SYSTEMROOT%\system32\iexplore.exe

This begs a few questions:
What solutions have users found work in this situation (malware running actively in memory).

What solutions work in blocking file transfer during instant messanger?

If I recall Ed Skoudis' excellent article in Infosecmag regarding Anti-virus tools, Symantec's antivirus had to be configured to scan memory for malware, so that helps address one problem.

Instant messenger has long been the bane of many a security admin. Ive always favored an Instant Messanger proxy server, ala Jabber or similar. This atleast allows me to monitor the traffic, as well as limit its points of entry/exit.

In diaries past, we have routinely asked readers to submit packets (everyone can repeat Don Smith's trademarked slogan: "Got Packets?"). A reader requested that we put together some guidelines for gathering/submitting packets to the Storm Center. I have compiled a simple set of guidelines as a starting point. Please feel free to comment, add, augment via the usual contact form.

tcpdump -nns 1514 -w filename

would be the simplest form. Note that the above will capture all traffic that that interface can see.

tcpdump -nns 1514 -w filename 'protocol and port insert_port_number'


tcpdump -nns 1514 -w weird_traffic.cap 'dst host and tcp and port 42'

would capture more specific traffic.

If 'anonymizing' your IP address space is important, Snort can do this with with the -B and -h switches like so:

snort -h <insert_home_net/mask> -B <insert_what_to_change_to/mask> -r in.cap -bl out.cap


snort -h -B -r in.cap -bl out.cap

In the above example, all of the 10.10 addresses will be converted to 192.168 addresses.

Note: snort will not correct the checksum's for the anonymized packets.

On Linux, netdude ( ) is a GUI packet editor that will not only change the packets, but also fix the checksums.

Mike Poor :s/oversomewhere/\@/g

Handler on Duty
0 comment(s)
Diary Archives