In my previous post, I analyzed a packet capture in which a user is infected with a virus after clicking on a malicious link. In this post, I’d like to take a closer look at how this attack worked. Clicking on a malicious link should not automatically download and execute a virus. What happened here?
Author Archives: jsaxton
Fun with Wireshark and IE Exploits
December 26, 2012 – 7:12 pm
Recently I’ve written a couple of posts in which I solve puzzles that were posted as part of the Network Forensics Puzzle Contest. While the contest is long over, the puzzles are still interesting and a lot of fun. Puzzles 3 and 4 didn’t seem particularly interesting to me, but puzzle 5 did. A user gets an email with a link to an online pharmacy and is subsequently infected with a virus. We are given a packet capture and told to figure out what happened:
1. As part of the infection process, Ms. Moneymany’s browser downloaded two Java applets. What were the names of the two .jar files that implemented these applets?
2. What was Ms. Moneymany’s username on the infected Windows system?
3. What was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click?
4. As part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? Hint: It ends on “91ed”.
5. What is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in “mainstream” malware.
6. What is the MD5 hash of the unpacked version of the malicious Windows executable file?
7. The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host?
Fun with Wireshark and SMTP
December 16, 2012 – 3:23 pm
This post is kind of a continuation of a previous post of mine, Fun with Wireshark and AIM. The challenge this time is to determine the following from a .pcap file:
1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?
Customizing WordPress
December 15, 2012 – 5:05 pm
This will not be a terribly interesting blog post, but I made a number of customizations to WordPress, which I am going to document in case I ever need to install WordPress again. Maybe even someone else will stumble upon this and find this information useful.
In some cases I’ll be vague about what I did, and this is intentional. Obviously security through obscurity is a flawed practice, but at the same time, given the security track record of WordPress, I don’t want to share too much, as I don’t want to make an attacker’s life any easier than it already is.
read more
dd-wrt
December 11, 2012 – 8:18 am
I hate static IP addressing, but with the crappy interface provided by my router, it was really my only option if I wanted to enable port forwarding. Fortunately my router (Linksys WRT54GL) is supported by dd-wrt, so I thought I’d give it a try. For those who don’t know, dd-wrt is basically a Linux-based firmware that can be installed on a number of routers and provides a much larger set of features, including static DHCP.
Fun with Wireshark and AIM
December 9, 2012 – 9:05 pm
I recently used Wireshark at work to better understand one of the protocols in our codebase, and I found it was a much more efficient way of learning how the protocol works (at least on the happy path) than just reading the code. To learn more about Wireshark, I decided to download and analyze some pcap (packet capture) files. One of these pcap files was of an AIM conversation between a rogue employee (Ann) and a mystery person, and the challenge is to determine the following from the .pcap file:
- The name of Ann’s IM buddy
- The first comment in the captured IM conversation
- The name of the file Ann transfered
- The magic number of the file
- The md5sum of the file
- The secret recipe
Hello, world!
December 8, 2012 – 12:35 pm
Periodically I go through phases where I feel it would be worthwhile to have some sort of online presence, and as you have probably inferred, I am going through one of those phases again. In the past, I have hacked together a minimalistic blog/CMS in PHP or something, but this time I decided writing a good, secure, production-quality blog/CMS would require more time than I am willing to invest. Rather than reinvent the wheel, I have installed WordPress. It’s not perfect, but so far it looks like it meets my requirements. I should be able to use this site as both a personal blog and also as a platform to share various projects of mine. Stay tuned.