Hi all,
we've developed a Wireshark plugin that will allow you to view
obfuscated pcaps of traffic from a Mariposa infected client and actually
decrypt them within Wireshark. The software is available to all as open
source software under the GNU GPL license. We hope that it helps in
doing further investigation and research into the Mariposa botnet.
Special thanks to Defence Intelligence for their analysis on Mariposa.
Attached please find the source code. You can get more information for
this tools on our blog at
http://www.paloaltonetworks.com/researchcenter/2009/10/mariposa-tool/<wlmailhtml:{1845F4BF-B103-4779-952B-DF9657F3740F}mid://00000002/!x-usc:http://www.paloaltonetworks.com/researchcenter/2009/10/mariposa-tool/>
You can also get the source code and a Windows DLL from the google code
at
http://code.google.com/p/botnetdecoding/<wlmailhtml:{1845F4BF-B103-4779-952B-DF9657F3740F}mid://00000002/!x-usc:http://code.google.com/p/botnetdecoding/>
.
Thanks,
M.Yanagishita
Attachment:
packet-mariposa.c
Description: Binary data
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/