Information Security News
It's time for another ISC traffic analysis quiz! Like previous quizzes, we have traffic and alerts from an infected Windows computer. This month's quiz consists of:
You can find the pcap, alerts, and answers here. Don't peek at the answers just yet!
Environment and quiz questions
The environment where this infection takes place:
Here are questions to answer based on the pcap and the alerts:
This type of analysis requires Wireshark. Wireshark is my tool of choice to review pcaps of infection activity. However, default settings for Wireshark are not optimized for web-based malware traffic. That's why I encourage people to customize Wireshark after installing it. To help, I've written a series of tutorials. The ones most helpful for this quiz are:
Furthermore, I recommend using a non-Windows environment like BSD, Linux, or macOS to analyze malicious traffic. This pcap contains HTTP traffic sending Windows-based malware. If you're using a Windows host to review the pcap, your antivirus (or Windows Defender) may delete the pcap or malware. Worst case scenario? If you extract the malware from the pcap and accidentally run it, you might infect your Windows computer.
So beware, because there's actual malware involved for this exercise.
Again, files associated with this quiz (pcap, alerts, and answers) can be found here.
If you found this fun, we have previous traffic analysis quizzes:
brad [at] malware-traffic-analysis.net