Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Bots installed through IM and Packet Capture howto
Bots installed through IM and packet capture howto

We had a post from a Storm Center reader that noticed a version of W32.Spybot.Worm being installed via MSN Messenger. A handful of users reported that they were receiving a file called WebCam_012.pif. The users claimed that that the file executed without intervention (the poster added that users sometimes disavow any involvement).

The network was "protected" by Symantec real-time protection (Corp version 9) which in its configuration did not stop the worm from executing in memory. The worm then spread through a variety of Windows methods (exploits and shares). The malware installs itself in %SYSTEMROOT%\system32\iexplore.exe

This begs a few questions:
What solutions have users found work in this situation (malware running actively in memory).

What solutions work in blocking file transfer during instant messanger?

If I recall Ed Skoudis' excellent article in Infosecmag regarding Anti-virus tools, Symantec's antivirus had to be configured to scan memory for malware, so that helps address one problem.

Instant messenger has long been the bane of many a security admin. Ive always favored an Instant Messanger proxy server, ala Jabber or similar. This atleast allows me to monitor the traffic, as well as limit its points of entry/exit.

In diaries past, we have routinely asked readers to submit packets (everyone can repeat Don Smith's trademarked slogan: "Got Packets?"). A reader requested that we put together some guidelines for gathering/submitting packets to the Storm Center. I have compiled a simple set of guidelines as a starting point. Please feel free to comment, add, augment via the usual contact form.

tcpdump -nns 1514 -w filename

would be the simplest form. Note that the above will capture all traffic that that interface can see.

tcpdump -nns 1514 -w filename 'protocol and port insert_port_number'


tcpdump -nns 1514 -w weird_traffic.cap 'dst host and tcp and port 42'

would capture more specific traffic.

If 'anonymizing' your IP address space is important, Snort can do this with with the -B and -h switches like so:

snort -h <insert_home_net/mask> -B <insert_what_to_change_to/mask> -r in.cap -bl out.cap


snort -h -B -r in.cap -bl out.cap

In the above example, all of the 10.10 addresses will be converted to 192.168 addresses.

Note: snort will not correct the checksum's for the anonymized packets.

On Linux, netdude ( ) is a GUI packet editor that will not only change the packets, but also fix the checksums.

Mike Poor :s/oversomewhere/\@/g

Handler on Duty

49 Posts
Jan 21st 2005

Sign Up for Free or Log In to start participating in the conversation!