Detect Malware by Sniffing it!

This article will apply to those who just have one computer at home and also to those that are working on an enterprise level.

I am a professional in the Information Security field. One of my jobs has been to help detect malware and infections on machines at an enterprise level that mainstream antivirus software will not detect. Sending someone to scan each and every machine all day long if we are talking about 1000 machines is nearly impossible. Detecting malware for a single computer or many computers can at a much easier level and with alot less resources. The first thing that you will need is either access to the 
wireless network or somewhere that you can plug in your ethernet cable to. On small networks, this will do assuming there are no subnets or Vlans setup. The next step would be to download and install a widely used and free program called Wireshark. Wireshark is a program that program that allows you to see all of the network packets going across the network that you are currently plugged into. Before you go any further you need to make sure that all of the computers on the network are turned on and that no one is using any of them. (this is only feasable if you are on a "small" network. This will make it easier to see what your computer is doing when no one is actually using it. Normally if malware sends and receives packets 24/7 whether you are using the computer or not. If you just have one computer (and not a network) you can still look at the packets that your PC is sending out and receiving with Wireshark. Every type of communication that is going to and coming from a PC is done via network packets. At first, when you load wireshark, you will want to tell it to "start capturing". This will allow your computer to "sniff" the packets that are going across your network. At first this will all look like mumbo jumbo. Most of the information you can disregard. If you have never looked at or broken down a network packet, you don't have to be a genius. It will take some getting used to, but the main thing that you want to get of out the packet is the "source" and "destination". For now I won't go any further into packet analysis, but determining the source and destination will be all you need for now. In the "source" you will notice a ton of IP addresses that look similar. If you are on a typical network you will see most of them start with 192.x.x.x, 10.x.x.x, or 172.x.x.x. These are your internal computers. If you have one pc, you will only notice a few different ones. One for your computer, one for your router, and maybe one or two from your smartphones (if they are on your wifi). There are two main things that you want to look for. If you stare are Wireshark long enough and watch the packets you will be able to eventually see what I am talking about. The main thing that you want to watch for here is multiple packets going from the same source (one of your machines) to the same destination and vise versa. Many malware programs will make a computer "beacon" which means that it is constantly sending packets to a malicious server or site and possibly sending data to it. This could be something as little as your surfing habits to sending your confidential data, recording keystrokes that you use to log into your bank, and many other things. Some of this may be hard to pick out at first. You will probably see alot of traffic going to the same destination. This could be to a DNS server for dns resolution (this is good traffic, not bad), this could also be one of your instant messenger programs staying connected (good, not bad). The easiest way to tell if the packets are "good" or "bad" is to google the destination address. If a packet is malicious, it is typical from a "known malicious" IP address. As soon as you type the IP into google you will see multiple results on that IP pertaining to what it is used for. For example if it is MSN messenger, you will see that in your google results. If it is a "bad" ip address you will see a ton of different results coming up regarding malware, trojan, virus, etc. You can then click on each result and read about the IP address. If you have a machine that is "beaconing" to one of these IP addresses especially when no one is using the computer that is definitely a sign of malware. At that point, you want to make sure that you are take a close look at the machine that is sending out the packets (the source address). This would mean with Malwarebytes, looking at the processes, msconfig, etc. I won't get into how to scan the PC because that's not really what this article is about.

If you are on a larger network with multiple switches and/or Vlans in place you want to make sure that the computer running "wireshark" is plugged into a "spanned" port on the switch. This means that the port you are plugged into allows you to see ALL traffic across the Vlans.

At the point where you are on and Enterprise level network (maybe 1000 machines or more) you will want to look into an IDS system. Snort is a free IDS (Intrustion Detection System) that basically looks at all of your packets automatically and will alert you of possible malicious packets. An IDS system will only detect possible malicious traffic but will not stop it. You can then look at the Snort log files to determine what is going on with the network. Using a true IDS system is a much better method of seeing malware and other malicious traffic that is happening on your network, but does require alot of time going through logs or using a front end that allows you to "filter" the events that your IDS system throws. One other problem with IDS systems is that they throw alot of "false positives" which means that the packets that it things is bad really aren't. Using Wireshark is a good starting point if you have no experience with IDS and just want to look at some quick traffic to see what is happening on the network. This will allow you to quickly see traffic that is incoming and outgoing. Remember, the key thing is looking at the destination address and using google to determine if the address is bad or not. Make sure when you are done "capturing" your traffic with wireshark that you click "stop capturing" or your computer will probably lock up eventually I analyze my network at home at least once a week to see if I have any machines that are infected or not. On an enterprise level this should be done every day. Please let me know if you have any questions, I'd be happy to help.

No comments:

Post a Comment