steambag Posted January 20, 2013 Share Posted January 20, 2013 (edited) We will catch the gate/ftp/email, which set the existing build stealer. We need: - Build stealer - Wireshark - VirtualBox 1. The first thing to do - kill all of the processes that use the network. So it will be easier to find the data you need. 2. Run Wireshark and configure the interface for sniffing: Capture -> Interfaces. Choose the one that you used - in the column will be the largest number of Packets. Click "Start", thereby starting sniffing. 3. Run the build stealer (all on VirtualBox, and nothing else!) and control Process Explorer his work forward to the completion. 4. Go to Wireshark and click Capture -> Stop, that is complete sniffing. We now have a dump of the network activity of the entire system for while working build stealer. It remains to find the desired data. FTP: To start trying to detect FTP-server, suddenly stealer in this way sends a report with passwords. We go to the Wireshark and type into the filter field word "ftp" and press "Enter": This is the hidden content, please Sign In or Sign Up We received the packages sent by FTP: This is the hidden content, please Sign In or Sign Up (In the picture selected host, username and password of FTP) Gate: Try to catch the gate address. Remove the "ftp" from the line filter and look for the package follows stealer. Hit Ctrl + F to open the search window. Choosing a search string (Find by: String) and type into the search string "UFR", leave the rest on the default. If the build is to send the password to the gate, something had to be found. This is the hidden content, please Sign In or Sign Up Email: To do this in the filter field, trying to type the string "smtp" and see this: This is the hidden content, please Sign In or Sign Up Decode username and password from soap sender using this This is the hidden content, please Sign In or Sign Up Go to the email and change the password. Edited January 20, 2013 by steambag Link to comment Share on other sites More sharing options...
SpecOps Posted January 21, 2013 Share Posted January 21, 2013 Re: Sniff build UFR Stealer What if enabled Anti Wireshark? Link to comment Share on other sites More sharing options...
steambag Posted January 22, 2013 Author Share Posted January 22, 2013 Re: Sniff build UFR Stealer You can try to change the name of the EXE wireshark, or change the title of the window. Link to comment Share on other sites More sharing options...
Recommended Posts