Finding malicious traffic

I have a bunch of pcap files captured by Wireshark and I’d like to discover malicious traffic. I have written a program that parses said pcap files, creates devices (according to the MAC address found in these files) and adds packets (sent and received) to these devices. Furthermore, I merge packets which are sent to the same IP address. In the end I write the result to disk accordingly.

Thus, I am able to inspect every IP address a device has contacted and the packets sent and received.

It should also be mentioned that these devices were in “passive” mode. This means that they weren’t actually used at the moment of the capture and the screen was turned off most of the time.

So far, I have analysed the traffic of three of my smartphones, my wife’s phone and my parent’s phone and luckily (or sadly) most traffic is encrypted and sent to port 443. (I’m focusing on sent packets and Android at the moment because I want to discover data leakage on Android phones).

Given that most traffic apparently uses Amazon’s cloud I thought I might not discover anything. However, when taking a look at the encrypted Payload I am able to see some human readable data. For instance the IP 34.235.195.44 which resolves to ec2-34-235-195-44.compute-1.amazonaws.com is in fact used by Signal, because of the string textsecure-service.whispersystems.org. Furthermore, I discovered that the ES FileReader leaks a bunch of information (on partially unencrypted) traffic, due to my father’s “there is an app for it” mindset.
Along with that, if WhatsApp is running on the device it makes up a large portion of the network traffic, while Signal doesn’t use much.

I have thought about browsing through the ports and looking at non-conventional ones, but as mentioned above, the most heavily used port is 443.

Also, aside from ES FileReader, I discovered various Adnetworks being contacted on devices with a bunch of apps installed.

Do you guys have any other ideas on what to look for, or any other additional input?

1 Like

Although Wireshark is a nice tool, last time i checked (years ago) it was limited in it’s ability to detect protocols. There can still be protocols that wireshark is not able to read or even detect.

I would be more worred over that, then the ip adresses wireshark or any other tools connect to as they are most often pretty (general over all devices)

1 Like

Wireshark can detect anything. The option to color certain protocols also helps.

1 Like

Do have any reason to suspect anything malicious?

1 Like

I don’t analyse the captured traffic with Wireshark, but with a program of my own. (Or do you mean that some packets are just dropped?)

@KenPC No I don’t - it is just out of curiosity.

No i mean there also exists hidden and unknown protocols (I’m not an expert though, nor do i claim to be)

1 Like

As far as I know, pcap has an ErrorLayer, which should be used for unknown or unparsable protocols. So, I might be able to see them somehow, shouldn’t I?

Furthermore, I believe malware to be hiding in plain sight, but I might be wrong…

I wouldnt know and would also doubt that. I mean if i was someone high up, why should i make it possible for others to see what i’m doing? I would probably use billions to fight/negate it instead

You’ve already made it that far. Don’t forget to do something good for yourself, get some fresh air, treat yourself to a snack, have a beer, etc.

1 Like

Apparently Wireshark ignores traffic it can’t capture:
https://osqa-ask.wireshark.org/questions/39934/hidden-traffic

But as mentioned above, not every malicious software does that as can be seen by the ES File Reader (although it is not 100% malicious :wink: )

Is this a general advise or a metaphor that went over my head? :smiley:

1 Like

Taken from the link for anyone else interested: any traffic that is not passing via a path that libpcap can latch on to cannot be captured. < Which makes it pretty simple. It does not capture everything. End of story

General advice, it’s not the most mental health promoting thing to dabble in :stuck_out_tongue: (at least not in the long run)

1 Like

if you set up a proxy with https certificate and trust that on your own devices you could man in the middle your https traffic and inspect it that way.

if wireshark can’t capture something it’s because the traffic isn’t traversing that interface. it captures ethernet frames; so long as it is an ethernet frame it will capture it.

also. if you’re in a switched network then unless you have wireshark inline between your devices and the router it won’t caputre the traffic either unless you configure a SPAN sesson for it on your switch.

edit
and yes almost everything is over port 443 these days in order to traverse firewalls, encrypt the data, etc.

1 Like

Thanks for the info concerning Wireshark, but I’m aware of that :slight_smile: Which is why I configured a spare notebook as access point and connected it to my router via an ethernet cable. Even though @Bruger has already said that it is quite possible to hide from Wirehsark I have thus far found some interesting traffic. Some Ad-providers leak information through port 80, which yielded some interesting preleminary results. And - even if the traffic uses port 443 - there is still some information to gather that enabled me do figure out which App a device might have running.

1 Like

In Windows you can also look at performance monitor and filter network connections by process. This will enable you to see the application or process that has a network connection open on the client.

Obviously, this only works if you have administrative control of the client, and can do the analysis in real time, but is a way to see what process your port 443 traffic is generated by without the ability to inspect it in flight.