Skip navigation.
Home

Malware network activities

|

Hi guys,

I tested a few banking Trojan on my Lab computer, and trying to find out how do they steal people's logins.
I monitored network activities after executed the malware. There are some DNS query to some foreign IP, some of them have http queries to GET some files from other sites, some have POST activity.
It is very good to find these, however, I could not figure out whether all these IP or sites have something to do with the "info chain".

Example here:
DNS query www.xxxx.org.
Outgoing tcp connection to IP: xx3.xx5.xx8.xx1 PORT: 80 (http)
http query: http://www.xxxx.org:80 POST /components/xxx/assets/xxx.php HTTP/1.0

Is the domain www.xxxx.org "drop zone"? all info collected is dropped to the xxxx.php file?

I thought so until I get another confusing result:
This is what i got from a facebook malware:
DNS query: smtp.mail.ru.
Outgoing tcp connection to IP: 2xx.xx4.x8.1x7 PORT: 25 (smtp)
SMTP message
Outgoing tcp connection to IP: 2xx.1xx.2x.5x PORT: 8080 (webcache)
Outgoing udp connection to IP: 2xx.1xx.2x.5x PORT: 53 (domain)
Outgoing connection to IP: 2xx.1xx.2x.5x PORT:53

I am no network professional, but smtp.mail.ru seems like a very genuine domain,right? and what is all the smtp, webcache, domain doing here?

Very interesting into this malware analysis things, hope we can have a good discussion here~