Hi.
Anyone knows of tools used to find malware traces in PCap files?
					
										
																										
            Anyone knows of tools used to find malware traces in PCap files?
A forum for reverse engineering, OS internals and malware analysis
hanan wrote:what do you mean by "traces" ? is it the malware it self or is it its stream to the C&C ?I mean signatures, like an antivirus scanner for PCaps.
[23.10.2012 14:08:14:937]
GET /918679543EB52B2FECC724D9A550FA329E536B2058EAA4E752E12FEBC8CED351B1654C05E37573C298B2045D30245C89BC1400FCA2C30CFF5B9146A31B1D8EBA7EADCEFC63 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 50.22.136.150:8080
[23.10.2012 14:08:16:015]
HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Tue, 23 Oct 2012 12:08:36 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.4.4-7
Vary: Accept-Encoding
Content-Length: 63
c=rdl&u=/get/passf_v4_2.dll.crp&a=0&k=00000d4c&n=passf_v4_2.dll

wacked2 wrote:IMO not really possible - most HTTP Bots use valid User-Agents, don't make any errors in the HTTP Protocol (Idiots as always not counted) - they use a insuspicious protocol.You are right in case of unknown malware, but what about known downloader that access to download a specific file (using POST and GET) ?
