Using network packet captured to detect presence of malware over network

Version 1

    Packet captures can be a very good option for detecting malwares on the network. Most of the network worms and bots can be traced this way back to the infected system. There are a number of packet sniffers available for free download but my personal favorite is Wireshark (formerly known as ethereal) on windows and tcpdump on *nix systems.

     

    A packet sniffer program basically acts by placing the network interface into promiscuous mode. Although the exact implementations of promiscuous mode differ from one physical network type to another (such as ethernet, ATM or DSL etc), it basically means that in this mode the network interface is asked to pick up network traffic even if the traffic is not intended for that host. Wireshark relies on a library called WinPcap to do this and tcpdump uses libpcap.

     

    These libraries usually contains two parts:

     

    a. A driver for hooking into the network stack to take out network traffic at the link layer. (Winpcap driver is called npf.sys)
    b. A set of dynamic or static libraries to get the data taken by these drivers in different data structures to the actual program.

     

    After the raw network traffic is transferred in different data structures to the packet sniffer from the library, which then proceeds to segregate these traffic into different network layers and protocols. This is achieved by declaring different data structures for each supported protocol and the raw traffic is placed into those data structures. Once done these are provided to the user for review.

     

    When we are using network sniffers to capture traffic for finding malware traces over the network, it is very important to know what to look for. The amount of traffic captured over a relatively busy network for an extended amount of time can be very large and processing it becomes an issue. So pre capture filters should be used to capture only the traffic we are interested in. Here is an example list and its filters:

     

    1) Detect IRC traffic. (tcp.port == 6667)
    2) Detect new connections to outside over port 80 ((tcp.flags.syn == 1 and tcp.flags.ack == 1 and ip.dst < internal network address) || (tcp.flags.syn == 1 and tcp.flags.ack == 1 and ip.dst > internal network broadcast address))
    3) File share access attempts incoming ((smb.cmd && ip.dst > internal network address) || (smb.cmd && ip.dst < internal network broadcast address))

     

    This document was generated from the following thread: Using network packet captured to detect presence of malware over network