Scribd Logo
Upload

Welcome to Scribd!

  • Malware Network Communication

    Uploaded by

    Teo Anto
    16 views4 pages

    Original Title

    Malware Network communication

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    16 views4 pages

    Malware Network Communication

    Uploaded by

    Teo Anto

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    MALWARE NETWORK COMMUNICATION

    THE MALWARE COMMUNICATES WITH THE C&C SERVER


    • Sample 1:
    - communicate over TCP using port 98 (37.187.92.171:98)
    - the server sends to the client a command “idjamel”
    - the client responds with the basic info collected about the victim machine, such as
    machine name/username, the operating system installed, and a list of running
    processes.
    - After the beaconing, the server sends to the client the configuration, i.e. list of the
    targeted banks.
    - CnC sends a set of Base64 encoded PE files DSHOWNET.DLL, REMOTEDESKTOP.DLL
    - The FFMPEG application is downloaded from the URL (pointed by the CnC):

    https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/

    • Sample 2: Locky
    - communicates with the CnC, and full communication is encrypted:

    https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/

    • Sample 3: BISKVIT
    - Downloading files and components
    - Communicates with the command and control server through REST APIs using the JSON
    format.

    https://bullguard.atlassian.net/wiki/spaces/BTD/pages/693731505/BISKVIT+trojan?preview=/6
    93731505/706773065/BISKVIT%20trojan.pdf

    THE MALWARE IS BEACONING


    • Sample 1:
    - Malware Beaconing is just control signaling.
    - Malware notifies control sites they are alive.
    - Malware receives coded instructions.
    - Beacons may be “low and slow”.
    - Instructions can be in addresses or text.
    - DNS may be the C&C for botnets!
    - Malware is increasingly using DNS for control.
    - Most beaconing can be detected through simple packet inspection and temporal
    correlations.
    https://logrhythm.com/blog/catching-beaconing-malware/
    https://www.first.org/resources/papers/conference2012/warfield-michael-slides.pdf

    THE MALWARE USE SENSITIVE PORTS ( FTP , SMTP, IRC, HTTP )


    • Sample 1:
    FTP: 21, 20
    SSH: 22
    SMTP: 25
    IRC: 113
    HTTP: 80, 8080, 8008
    HTTPS: 443
    SMB: 445

    https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

    THE MALWARE FIND THE EXTERNAL IP


    • Sample 1:
    - it connects to a legitimate server MYEXTERNALIP.COM in order to fetch the IP visible
    from outside.

    https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/

    https://www.malware-traffic-analysis.net/2018/08/17/index.html

    THE MALWARE INTEROGATE DNS


    • Sample 1:
    - observe the domain names used by malware to contact C&C servers

    https://www.netfort.com/blog/detect-cryptocurrency-mining-activity/

    https://phys.org/news/2017-05-network-traffic-early-indication-malware.html
    THE MALWARE CHANGE THE FIREWALL
    • Sample 1: Rules changes (forensics)
    - netsh.exe firewall set opmode mode=disable profile=all / netsh firewall set opmode
    disable
    - netsh firewall add allowedprogram 1.exe 1 ENABLE
    - netsh advfirewall firewall add rule name="explore" dir=in action=allow
    program="%USERPROFILE%\appdata\roaming\ugi\voogfu.exe"

    THE MALWARE DOWNLOAD (DROP)

    • Sample 1:
    - 209.141.59.124 port 80 - 209.141.59.124 - GET /1.exe
    - 47.74.40.118 port 80 - securityupdateserver4.com - POST /tasks.php
    - 47.74.40.118 port 80 - securityupdateserver4.com - GET /modules/x64payload.core
    - 47.74.40.118 port 80 - securityupdateserver4.com - GET /modules/x86payload.core

    https://www.malware-traffic-analysis.net/2018/index.html

    • Sample 2:
    - The dropper of Ryuk is simple and fairly straightforward. It contains 32 and 64 bit
    modules of the ransomware, embedded one after the other in the dropper’s binary. At
    the beginning of its execution, the ropper generates a lettered random file name using
    the srand function and GetTickCount for seed generation.
    https://bullguard.atlassian.net/wiki/spaces/BTD/pages/696615039/Ryuk+ransomware?preview
    =/696615039/706773060/Ryuk%20ransomware.pdf

    THE MALWARE INJECTION INTO INTERNET EXPLORER

    • Sample 1:
    - IEXPLORE.EXE process is responsible for establishing connection with the CnC and
    downloading submodules (in to registry keys)
    https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/

    THE CRYPTO MINING MALWARE

    • Sample 1:
    - While drive-by mining typically happens via the standard HTTP protocol—either via
    HTTP or HTTPS connections—we have witnessed more and more examples of miners
    communicating via WebSockets instead.
    https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/
    https://www.malware-traffic-analysis.net/2018/08/06/index.html

    TOOLS
    • Flare is a network analytic framework: https://github.com/austin-taylor/flare
    • https://www.malware-traffic-analysis.net/2018/index.html

    You might also like