Second Packet Capture

1.       List the protocols found in the capture. What protocol do you think the attack is/are based on? (2pts)

There are 9 protocols found in the capture:

1.       ARP

2.       Browser

3.       DHCP

4.       DNS

5.       HTTP

6.       ICMP

7.       IGMP

8.       NBNS

9.       TCP

                I gathered the information by simply sorting the table by Protocol

                From the packets followed in number 3 (question number 3),  the attack is based on HTTP.

2.       List IPs, hosts names / domain names. What can you tell about it? What to deduce from the setup? Does it look like real situations? (4pts)

Again, by sorting the packets – this time by IP Source (IP Address) – I found 19 IP addresses:

1.       10.0.2.15

2.       10.0.2.2

3.       10.0.3.15

4.       10.0.3.2

5.       10.0.4.15

6.       10.0.4.2

7.       10.0.5.15

8.       10.0.5.2

9.       192.168.1.1

10.   192.168.56.50

11.   192.168.56.51

12.   192.168.56.52

13.   209.85.227.100

14.   209.85.227.106

15.   209.85.227.99

16.   224.0.0.2

17.   64.236.114.1

18.   74.125.77.101

19.   74.125.77.102

                However, there are broadcast networks and subnets (i.e. 0.0.0.0, 255.255.255.255, 10.0.2.255, 10.0.3.255, 10.0.4.255, 10.0.2.255), and servers/systems (i.e CadmusCo for Mac, and Realtek) that are found in this capture.

               

Further, these are the hosts/domain names that are found:

1.       rapidshare.com.eyu32.ru  that is running on Mozilla

2.       sploitme.com.cn (captured at packet 64 when TCP Stream was followed)

3.       www.honeynet.org (captured at packet 214 when UDP Stream was        followed)

4.       www.google-analytics.com (captured at packet 259 when UDP Stream was         followed)

5.       www.google.com (captured at packet 292 when UDP Stream was followed)

6.       shop.honeynet.sg(captured at packet  470 when TCP Stream was followed)

7.       www.google.fr (captured at packet 300 when UDP stream was followed)

                From the set-up, it is possible that this is not a real situation because there’s a virtual machine used.

3. List all the web pages. List those visited containing suspect and possibly malicious javascript and who's is connecting to it? Briefly describe the nature of the malicious web pages (6pts)

                                These are the following webpages that I found during the analysis:

1. http://rapidshare.com.eyu32.ru/login.php (captured in packets starting 142, when TCP Stream is followed). This is used by the IP Address 10.0.3.15
2. http://sploitme.com.cn/fg/show.php?s=3feb5a6b2f  (captured in packets starting 142, when TCP Stream is followed).  This is used by the IP Address 192.168.56.52. this IP address is sending/distributing  virus by using “AddAtomA”.
3. http://rapidshare.com.eyu32.ru/images/sslstyles.css (captured in packets starting 59, when TCP Stream is followed). 
4. http://shop.honeynet.sg/catalog/
5. rapidshare.com.eyu32.ru  that is running on Mozilla
6. sploitme.com.cn (captured at packet 64 when TCP Stream was followed)
7. www.honeynet.org (captured at packet 214 when UDP Stream was        followed)
8. www.google-analytics.com (captured at packet 259 when UDP Stream was         followed)
9. www.google.com (captured at packet 292 when UDP Stream was followed)
10. shop.honeynet.sg(captured at packet  470 when TCP Stream was followed)
11. www.google.fr (captured at packet 300 when UDP stream was followed)

Among these webpages, there are few that contains a malicious javascript.

• http://rapidshare.com.eyu32.ru/login.php (captured in packets starting 142, when TCP Stream is followed). This is used by the IP Address 10.0.3.15
• http://sploitme.com.cn/fg/show.php?s=3feb5a6b2f  (captured in packets starting 142, when TCP Stream is followed).  This is used by the IP Address 192.168.56.52. this IP address is sending/distributing  virus by using “AddAtomA”.

4. Can you sketch an overview of the general actions performed by the attacker? (2pts)

                An IP address which In this case is 10.03.15 launched the browser Internet Explorer. This user – the victim – logs-in via rapidshare and was directed to sploitme.com where downloads happened (video.exe). Here is where the attack happens – the attacker encrypted the virus Trojan.agent.aeug. on the files that are downloaded.

5. What steps are taken to slow the analysis down? (2pts)

Encryption

6. Provide the javascripts from the pages identified in the previous question. Decode/de-obfuscate them too. (8pts)

7. On the malicious URLs, what do you think the variable  's' refers to? List the differences. (2pts)

                In one of the malicious URLs: 192.168.56.52, the variable s refers to the variable of the file being retrieved, which according to PC1News.com is a kind of virus.

8. Which operating system was targeted by the attacks? Which software? And which vulnerabilities? Could the attacks been prevented? (4pts)

                The attacked IP address is using Windows 5.1 or what is known as Windows XP and the software that was targeted was Firefox. Therefore it is a browser vulnerability. (Also gathered by following the TCP Stream of packet142).

9. Was there malware involved? What is the purpose of the malware(s)? (We are not looking for a detailed malware analysis for this) (5pts)

Yes, there is a malware involved in the conversation. This malware is called AddAtomA which according to PC1News.com, it adds a character string to the local atom table and return a unique value – which is called an atom. In the packet that I analysed, the AddAtomA is being exported by Kernell32.dll in Internet Explorer  and has a variable s, and from the same source, it says that this file is a virus: Trojan.agent.aeug.