In my previous post, I analyzed a packet capture in which a user is infected with a virus after clicking on a malicious link. In this post, I’d like to take a closer look at how this attack worked. Clicking on a malicious link should not automatically download and execute a virus. What happened here?
Category Archives: Networking
Computer Security Networking Computer Security Networking WiresharkFun with Wireshark and IE Exploits
December 26, 2012 – 7:12 pm
Recently I’ve written a couple of posts in which I solve puzzles that were posted as part of the Network Forensics Puzzle Contest. While the contest is long over, the puzzles are still interesting and a lot of fun. Puzzles 3 and 4 didn’t seem particularly interesting to me, but puzzle 5 did. A user gets an email with a link to an online pharmacy and is subsequently infected with a virus. We are given a packet capture and told to figure out what happened:
1. As part of the infection process, Ms. Moneymany’s browser downloaded two Java applets. What were the names of the two .jar files that implemented these applets?
2. What was Ms. Moneymany’s username on the infected Windows system?
3. What was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click?
4. As part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? Hint: It ends on “91ed”.
5. What is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in “mainstream” malware.
6. What is the MD5 hash of the unpacked version of the malicious Windows executable file?
7. The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host?
dd-wrt
December 11, 2012 – 8:18 am
I hate static IP addressing, but with the crappy interface provided by my router, it was really my only option if I wanted to enable port forwarding. Fortunately my router (Linksys WRT54GL) is supported by dd-wrt, so I thought I’d give it a try. For those who don’t know, dd-wrt is basically a Linux-based firmware that can be installed on a number of routers and provides a much larger set of features, including static DHCP.