Here is a look at a packet capture of the Zeus Botnet as viewed in Netwitness Investigator (Click picture for full screen view). It was the Netwitness Corporation that first detected the Kneber botnet. I really like Investigator, because it does a lot more than just displaying packets. You can quickly and easily sort large amounts of information with literally just a few mouse clicks.
The sample of the botnet packet capture was downloaded from openpacket.org. This site contains packet capture samples to view and learn from. Openpacket.org was started by security expert Richard Bejtlich, who currently is the Director of Incident Response at GE. He also runs the well known Taosecurity blog and teaches the TCP/IP Weapons School.
Okay, with all the gratuitous acknowledgements out of the way, let’s see how Zeus looks in Netwitness.
- Download and install Netwitness Investigator (Free, but they do license it to you)
- Download any (or all) of the sample .pcap packet capture files from Openpacket, I used Sample 2.
- Start Investigator
- Click “Collection”, then “New Local Collection”
- Name your collection folder; I called mine ‘Zeus Botnet Sample’
- Double click on the new folder; status of the folder should go to ‘Ready’
- Click the ‘Import Packet Files into the Selected Collection’ button.
- Select your .Pcap file and select open.
- Now double click your collection folder
This takes you to an action screen where you can drill into the data. This is also the view seen in the above picture. You can click on any of the categories to drill into the data. For example click on HTTP to only view Http transactions. Then click on Destination Address to only view HTTP traffic to this Destination Address.
Okay, something to notice here is all the traffic is HTTP Port 80 to foreign servers, a classic sign of Zeus. Also, notice the Alerts across the top. Particularly notice the ones labeled ‘watch list’ and ‘suspicious’. This is one of the great things about investigator, it analyses the packets and if the traffic patterns are suspicious, or connects to known bad servers, it list alerts.
Clicking on one of the suspicious files alerts will allow you to see just the information from the suspicious packets. Clicking on the green numbers will allow you to view data about the packet and the actual data from the packet. You can see the destination server name, client information, folder and file names, etc. So in just a few clicks, you can filter your data and go from a high level to a low level quickly.Very, very impressive.
As you might be able to tell, I like this software. And the fact that it is free makes it very attractive to try and see if this would work for data capture analysis on your network.
There are lots of .pcap samples of different captures available on the web. Most sites are good, but some are not so safe. It is always a good idea when analyzing suspicious data to use a machine that is not connected to a live production network and also to use a VMWare operating system image rather than using your live system. Also make sure your anti-virus and security patches are up to date.