Security-related question
Eric Shubert
ejs at shubes.net
Thu Feb 24 09:16:07 MST 2011
On 02/22/2011 08:22 AM, Jim March wrote:
> Folks,
>
> I'm trying to figure out what a particular Windows piece of malware does.
>
> To that end I built a brand new WinXP virtual machine via Virtualbox
> (Linux host of course) and then infected the virtual machine :).
>
> In Ubuntu (Gnome) I usually run the System Monitor toolbar widget set to
> display CPU, memory and network traffic. In the latter I can see
> network traffic happening that I can't explain as being Linux-related,
> so it has to be the virtual machine (which has Internet connectivity via
> a NAT router off of the Linux host...in other words, guest OS traffic
> will be visible in the host Linux system.
>
> I need to know first how I can prove that it's the Windows XP guest OS
> that's doing the traffic, or which other processes are doing which
> traffic, and then if possible log ALL of that traffic (preferably using
> Linux tools) for a brief time period to a file for analysis.
>
> Any help appreciated :).
>
> Jim March
>
Just FYI, Windoze is pretty 'chatty' when it comes to network use. It
uses port 139 for "browser elections" (ironically I suppose). I expect
that at least some of the network traffic you see will be this sort of
thing. Of course, you'll be needing to filter this 'noise' in order to
see if there's anything else of substance.
--
-Eric 'shubes'
More information about the PLUG-discuss
mailing list