I got this suspicious URL in my mailbox of which I'm 99% sure that it's not sent (intentionally in any case) by the person who is listed as the sender. Can I use Wireshark to analyse what this URL actually does without harming (downloading spyware, malware, cookies, ...) my computer in any way? Perhaps by capturing my wlan device and running curl on this URL? If so, what should I be looking for specifically? FYI, the URL is hxxp://ashadtravels.com/data/default.php?ID=obucec&catid=vupani Comment: I modified your link from http:// to hxxp:// to prevent people from clicking on a link that night lead to malware. Thanks in advance! asked 07 Dec '12, 14:56  niefpaarscho... edited 07 Dec '12, 15:03  Kurt Knochner ♦ |
One Answer:
Well, you can use Wirehark to see what is transfered after calling the URL, but you can't prevent any harm with it. It's like having a camera to watch someone throwing something at a window. If it is a ping pong ball nothing will happen, but if it is a stone you can later tell/prove that it was - but the window is still broken. The way of looking at an URL without fearing damage would be to use a virtual machine that you can reset to a previous snapshot. Or (maybe) a Intrusion Prevention System could catch the bad stuff and kill it before it hits. VM is usually the cheapest way to go if you want to take a look. answered 08 Dec '12, 09:49  Jasper ♦♦ |
And what kind of transfers should I be looking for? That is, how can I detect a stone with wireshark? Are there any useful/common filters for this type of detection?
You can detect a stone if you know what a stone looks like. There are some filters out there to detect known malware signatures in packet traces, but most of them are so old that using them is basically useless. A lot of people still think that they can impress anyone by presenting filters for MS-Blaster or the Slammer worm, but these are completely irrelevant today.
IPS systems and virus scanners have more recent signatures, but usually there is nobody offering Wireshark filters for the latest (known) attacks. Unknown attacks will not be found in most cases anyway - or by pure luck.
But there has to be some kind of file download and execution for a virus or malaware to operate, no? I thought that was basically the main difference in how Windows and Linux operate: Windows will execute some things automatically, while Linux will always ask. And is this download or execution not something that can be detected by Wireshark? Or in your analogy: maybe I cannot detect whether it's a stone that has been thrown, but I should be able to detect whether something was thrown at all, no?
I'm sorry, but your facts about Windows and Linux are a little outdated - Windows (Vista and up) does ask about suspicious stuff if it falls into certain categories, and even Linux doesn't "always ask". Especially not if the attack is against the browser/java/etc.
But yes, you could see an executable being downloaded, but a lot of attacks are well hidden, e.g. inside scripts inside other content like pdf's or web pages. You need to know what you're looking for - it's not like you're going see something obvious like "infectvictim.exe" being downloaded.