Author Topic: Monitor file behavior  (Read 4522 times)

0 Members and 1 Guest are viewing this topic.

August 07, 2008, 09:19:37 am
Read 4522 times

jani_jutt

  • Newbie

  • Offline
  • *

  • 2
is there any tool that logs file behavior when it attempts to download something from web... it should log the URL or ip address and the file names which will be downloaded from these ip addresses or urls.

August 07, 2008, 10:13:44 am
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I tend to use a packet filter for that .......
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 07, 2008, 10:58:11 am
Reply #2

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
Filemon or Process Monitor from Sysinternals do a fine job.

Track WinInstall or whatever its called is also good for this.

August 07, 2008, 11:32:18 am
Reply #3

sowhat-x

  • Guest
As already said...Wireshark to follow the packet stream,
(or any other reliable packet sniffer),along with the SysInternals apps...
As an alternative to Filemon,you might wanna give a shot to the following...
http://www.zezula.net/en/fstools/filespy.html

August 08, 2008, 04:49:59 am
Reply #4

jani_jutt

  • Newbie

  • Offline
  • *

  • 2
thanks guys for yr response... i've used sysinternals  utilities and wireshark but the problem with wireshark is that it displays too much information .... i want to collect information similar to cwsandbox.org Network Activity section... like this

Download URLs
http://222.240.227.29/dd/1.exe (222.240.227.29)
http://222.240.227.29/dd/8.exe (222.240.227.29)
http://222.240.227.29/dd/9.exe (222.240.227.29)
http://222.240.227.29/dd/2.exe (222.240.227.29)
http://222.240.227.29/dd/3.exe (222.240.227.29)
http://222.240.227.29/dd/7.exe (222.240.227.29)
http://222.240.227.29/dd/4.exe (222.240.227.29)
http://222.240.227.29/dd/5.exe (222.240.227.29)
http://222.240.227.29/dd/6.exe (222.240.227.29)
http://222.240.227.29/dd/10.exe (222.240.227.29)
Outgoing connection to remote server: 222.240.227.29 TCP port 80
Outgoing connection to remote server: 222.240.227.29 TCP port 80
Outgoing connection to remote server: 222.240.227.29 TCP port 80
Outgoing connection to remote server: 222.240.227.29 TCP port 80
Outgoing connection to remote server: 222.240.227.29 TCP port 80
Outgoing connection to remote server: 222.240.227.29 TCP port 80
Outgoing connection to remote server: 222.240.227.29 TCP port 80
Outgoing connection to remote server: 222.240.227.29 TCP port 80
Outgoing connection to remote server: 222.240.227.29 TCP port 80

is there any simple packet sniffing tool or easy configuration for wireshark to collect this kind of information.

August 08, 2008, 05:36:51 am
Reply #5

sowhat-x

  • Guest
Quote
but the problem with wireshark is that it displays too much information...
Best way to get around this would be to set up either "capture" or "display" filters,
ie.say in order to only capture/display outgoing http traffic.Here's the general how to...
http://wiki.wireshark.org/CaptureFilters
http://wiki.wireshark.org/DisplayFilters
For example,in it's most simplest and basic form,you could set up a display filter like...
"http contains .exe",he-he...  :)

'Problem' is,that it is not guaranteed in advance that the malware in question,
will specifically use http....it might as well connect via irc,ftp,tftp etc.
Even more,malware might also not try fetching other .exes at all:
it could possibly try downloading extra config files,
or it might post statistics data about the machine that got infected etc,etc...
Which means,that depending on what you're doing,
you will almost certainly find yourself in the need of adjusting the filters accordingly...

A way less effective/more generic way (but certainly worths trying out),
would be to disable/disselect all the options related to name resolution:
way less data returned this way...Wireshark will also be quite lighter in terms of memory usage.

There are lots of other reliable packet sniffers out there that you could give a shot as well,
that return way less info by default when compared to Wireshark...
Wireshark is simply the "de facto" standard that all researchers out there make use of,
exactly because it can be customized as much as you want,as described per above...

===========================
Note:Just a suggestion...if possible,prefer changing the direct links to malicious sites/.exes,
say from http to hxxp or something,because mistakes unfortunately do happen,lol...  :)