Wiretapping and Visualising the Malware Traffic
Verizon estimates that the staggering cost of malware to the world economy hits up to 100 Billion USD. Steve Morgan from cybersecurityventures on the other hand, rounds up the number to 10 trillion USD, for all cybercrime cost for the world economy by 2025.
Thanks to the tirelessly working brains, our technological advent is unparalleled and we were never this interconnected before. This, on the other hand, creates new attack surfaces, triggering more robust plans against the network of servers, car fleets, house smart devices, traffic lights, and much more.
For a security professional, this is also thrilling. Seeing things happening in front of your eyes, and putting up arms against them. Everyday smarter.
In this blog post, I will try to demonstrate how to create a visual network map using Wireshark, by going after malware.
<Seasoning the Wireshark />
Wireshark is a fantastic tool. It is already muscular but with all these extensions and extra muscle slots, it is one of the top favorite weapons in my arsenal.
For this demostration purposes, of course, either we need to detonate a malware in a -preferably :)- controlled environment and tap on its actions or need to use ready meal. And the best restorant for this meal in my knowledge is malware-traffic-analysis website. You can download any pcap file. But you are warned, these pcap files contain real malware inside. However, as long as you don’t extract the binaries and run them ,you are good to go.
Secondly, wireshark does not come packed with geolocation database. For this end, we need to download and import these databases so the any public IP in the traffic, if also in the database, resolves to a city or coutry. Maxmind has publicly available (although lite version) databases ready to be downloaded. You can set the path of these databases for Wireshark to see them in the preferences menu.
<Seeing Malware Traffic/>
As seen in above picture which I took from a pcap downloaded from aforementioned website, a private IP address in the 10-range attempts to check several well known ports like 25 (SMTP), 22(SSH),23(Telnet),80 (webserver) in different public IPs. But I would like to see some names of geographical locations on the map. If everyting worked well, I should be able to catch countries or cities. For this, I need to select a public IP and check the IP header.
Source IP address is 35.227.229.34 a public one. And Also seen in the GeoIP field, it is coming from MountainView, which hosts Google :)
Adding the GeoIP location as column to wireshark could give me a good leverage too. For this, I just need to just click on a field and select apply as column.
Wireshark also displays these fields on the endpoints section.
I know the country of origin,city and and also destination. This can help me for making educated guesses with regard to what is happening and maybe what is targeted. Of course this much information is not enough, a further investigation is a must, which is the topic for the next post on this pcap.
Finally, I can open this endpoints pane on the browser for seeing all these traffic on the net.
Of course, a better filtering and a robust network tracing will give us much more hints on what has been targeted and what were the TTP.
For that and more, stay tuned !