Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Using Open Source Tools For Malware Detection: Page 2 of 2

Once captured, you can export the traffic as a standard pcap file to one of the best open source network tools available: Wireshark. It was obvious from the packet capture that ZeroAccess was extremely active and had contacted 50 different hosts in about a minute. The traffic looked to be some type of a keepalive method of distributing information to the PCs that were part of the botnet. The infected PC would send out a 60-byte UDP packet (probably a type of keepalive) from a source port of 49154 to a destination port of 16464 on the target PC. The target PC then would respond with a 610-byte UDP packet from port 49154 (probably instructions from the botnet) back to port 16464 on the infected PC.

Zeroaccess Capture Redacted
(click image for larger view)

The next step in this forensic analysis was to find the actual malware executable. The best way to find elusive program files is by using a forensics-focused Linux distribution. There are several great Linux distributions that allow for deeper analysis and malware analysis. The ever-popular Kali Linux is typically used for penetration testing but contains forensics tools, as well. The SANS Institute provides the SANS Investigative Forensic Toolkit, or SIFT, which hasn't been updated in a while but still provides excellent documentation on how to conduct a forensic analysis. A lesser-known but powerful Linux distribution focused on reverse-engineering malware is REMnux.

The best practice is to remove the hard drive from the PC and attach it to another workstation with a USB-based write blocker. There has been debate in the forensics community over whether live CDs modify the drive contents, even when mounting read-only. A USB-based write blocker is the sure way to prevent any modifications to the target drive.

In this case, I mounted the infected hard drive to a USB-based write blocker and attached it through a virtual USB connection directly to REMnux running inside of the VirtualBox open source virtualization tool. I quickly identified the Zeus Trojan inside of the “$Recycle Bin” folder on the infected drive using tools available in REMnux Linux. I then used VirtualBox again to infect a virtual Windows XP image to study the outbound network connections more thoroughly and to document the infection process.

Malware will continue to become more sophisticated and stealthy as the profits it generates increase. Small businesses could become easy prey for criminals wielding this malware because they cannot always afford proprietary security tools. pfSense, Snort, Wireshark, Kali Linux, SIFT, REMnux and Virtualbox provide capabilities that rival their commercial counterparts. These tools will continue to evolve as more people use and improve them. Open source is all about community, and community may the best approach to solving the malware problem.