Network forensics is something we should practice as much as possible to become faster at detecting supicious activies in our networks. This website http://malware-traffic-analysis.net/ shares network traffic captures where we can find different kinds of infections and malicious activies. I find these examples quite good to improve our skills to find evil behaviours... Also, we could be witness of new vectors attack and new evasion techniques...
Today, we are going to do the last exercise:
In the post mentioned before, it was said that a malware was found in a corporate computer. We can get more information about that sample from diferent malware analysis.
Network traffic analysis
To figure out what happend, we have to work with the traffic capture published at such blog post: 2015-11-24-traffic-analysis-exercise.pcap. The first thing I´m going to do is to use tcpreplay in order to replicate the same traffic that was captured in an interface where my Suricata is listening with the latest ETPRO ruleset loaded.
After all the traffic has been replicated and analyzed, we can see on our alerts Dashboard that a computer could be affected by an Exploit Kit. Also, there are some CnC alerts...
The first Angler EK alerts came from the website neuhaus-hourakus.avelinoortiz[.]com
The order of the visits for that specific domain were:
We can see that this domain has been rated as malicious by some webfiltering vendors.
I´ve also uploaded the PCAP to Virustotal (look at Details section). Virustotal is awesome because the traffic is inspected by Snort-VTR and Suricata-ETPRO ruleset. Also Virustotal analizes all the requests and if something is detected by some Antivirus, Virustotal will warn us... We can see from the Virustotal report, that one of the first Suricata alerts related to the EK corresponds to a flash file which is related to an Exploit.
And... Why did this user visit www.shotgunworld[.]com? If we look at the Referer field in the follow TCP Stream, we can see that the user was redirected to that website by Google. The user could have been doing Google searches...
If we dig a little bit deeper into the connections which were made before the Google redirection, we can see that the user was interested in guns. He did two searches in Google:
which redirects to http://www.cabelas.com/category/Shotguns/105537780.uts which seems not to be infected.
which loads the EK landing page: neuhaus-hourakus.avelinoortiz[.]com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29
And... What about the landing page? I´ve followed with the analysis and I´ve found that it had code heavily obfuscated inside the HTML code.
Since we´ve not deobfuscated the Angler landing page code, we can not be 100% sure that it is related to the malware found in the computer, but I think we could assume that... After the host visited such URL, the computer started requesting suspicious URL related to botnet
Even the computer started requesting domain names that didn't get resolved...
Those domains could have been tried to be created by some domain generation algorithm (DGA). This could be a indicator that this computer had started to belong to a Botnet.
After being notified that a piece of malware has been detected on a corporate computer, we´ve analyzed the traffic capture provided and we´ve detected the following:
- The user was doing Google searches related to guns.
- After visiting some guns shops, he ended up in that web site: www.shotgunworld[.]com
- It seems the EK was successfull and the computer began to be part of a botnet.