Celebrating 4th of July With a Malware PCAP Visualization

Published: 2013-07-04
Last Updated: 2013-07-04 22:37:08 UTC
by Russ McRee (Version: 1)
0 comment(s)

It's been exactly five years since the ISC Diary discussed the Storm botnet and fireworks.exe. What better way to celebrate America's birthday with another fireworks-like visualization. Much has changed in five years, including malware techniques, and the venerable AfterGlow visualization tool set, but some things remain consistent. Malware still sucks, sometimes it's really chatty, and when it is, the resulting PCAP can be rendered as a great picture. Raffy Marty's AfterGlow now includes a cloud version (like I said, much has changed in five years), but I rolled this graphic with a ZeroAccess sample and AfterGlow with Argus on an Ubuntu VM. An excellent analysis of this sample is provided by Contagio, so I'll spare you the details. Using the PCAP provided in that post, I executed argus -r zeroaccess.pcap -w - | ra -r - -nn -s saddr daddr -c, | perl afterglow.pl -c color.properties | neato -Tgif -o zeroaccess.gif. To simplify textually, the blue dot in the middle is our hapless victim system and the red nodes are all the evil minions it's conversing with.

With the utmost respect, and sincere apologies to the Honorable Mr. Lincoln: We here highly resolve that these samples shall not have been analyzed in vain — that this Diary, under the World Wide Web, shall promote a new birth of security — and that an Internet of the people, by the people, for the people, shall not perish from the earth.

Happy 4th of July!!

ZeroAccess visualization

Russ McRee | @holisticinfosec

 

0 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives