Wireshark-users: Re: [Wireshark-users] Malicious software sends out mail using TLS
Hi,
On Tue, Aug 25, 2009 at 4:10 PM, Jaap Zwanenveld<uc1972@xxxxxxxxxxx> wrote:
> Hello,
>
> Im fairly new to Whireshark but tried for several hours of testing and
> reading to find out what a malicious program sends out using TLS. What I've
> figured out this far is:
>
> - program checks for ip-adress of client by visiting whatismyip.com
> - program connects to ip-address 216.239.59.109 using port 587 (SMTP) ->
> google mail server
> - after connection cliend sends the STARTTLS command
> - server responds with "Ready to start TLS"
> - some handshaking finds place (TLS)
> - the agreed cipher suite between client and server is
> TLS_RSA_WITH_RC4_128_MD5
>
> After that i can see packages going from client to server and the other way
> around. However all the data is encrypted. I tried a lot of different things
> like "Follow SSL stream" and setting the RSA keys list entry using port 587
> as parameter and protocol http as well as smtp. Since all my tries failed i
> wonder if any of you gurus can give me some pointer what to do (or tell me
> to stop waisting time if what I'm trying to do is not possible).
If you know which process the malicious code is running in, I would
suggest trying oSpy, a tool designed to be used in parallel with
Wireshark:
http://code.google.com/p/ospy/
It will only be able to catch it if it uses the native Windows crypto
support (explicitly or implicitly through wininet), but I'm planning
on expanding that to detect common in-memory code signatures like
common binary distribution(s) of OpenSSL and similar.
Cheers,
Ole André