Free Wireshark Training Course Online

Take a free Wireshark Jumpstart training class online at

Tuesday, October 5, 2010


Unless you've been living under a rock (or playing the new Halo non-stop), you likely have heard of the FBI nabbing 100+ in a global cybercrime ring.

You'll notice mention of Zeus. Zeus is financial malware - in essence, it listens to your online banking sessions and sends them to scumbag server (SS). Now if you do a little research, you'll find that Zeus is currently listed as the #1 botnet by some folks (
Trusteer). Many virus detection tools miss Zeus altogether. (I'm not surprised by that at all - I have a kitchen strainer that does a better job than some of the VDS options out there.).

You could watch the conversation information and do some GeoIP mapping in Wireshark, but that might not be the best option (Gasp! Did I really say that? Yes.) Check out BotHunter (from my old employer, SRI International - yup - I was a waitress in the Executive Dining Room at the time when my peers were taking Latin and World History in their senior year of high school - another story for
another time).

BotHunter basically monitors conversations with an awareness of your trusted network (you define that during the setup) while using Snort's event generation engine to report suspect behavior. It's an interesting tool to play with - in addition, check out to view the BotHunter Internet Monitor page. BotHunter automatically grabs the latest C&C server list, malware DNS list, Russian Business Network address space and malicious backdoor/control ports from the SRI repository. The BotHunter repository service enables your "fielded BotHunter" to report infection profiles anonymously.

It's an interesting and FREE product to help you battle bot-infected hosts. If you haven't had a chance to analyze the traffic to/from a bot-infected host - check out the sec-sickclient.pcap file over in the trace files available at

Interesting Links:

Remember to check out the Wireshark Certified Network Analyst program



p.s. Thanks to everyone who suggested "back fixes" - it's healing nicely so far.