{"id":842,"date":"2009-10-27T08:19:52","date_gmt":"2009-10-27T16:19:52","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=842"},"modified":"2010-02-10T09:59:39","modified_gmt":"2010-02-10T17:59:39","slug":"mariposa-tool","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2009\/10\/mariposa-tool\/","title":{"rendered":"Wireshark Plugin for Mariposa Botnet Command and Control"},"content":{"rendered":"<p>As a follow up to last week\u2019s post regarding Mariposa infection research, Yamata Li of the Palo Alto Networks Threat Research Team has developed a Wireshark plugin that will allow you to view obfuscated pcaps of traffic from a Mariposa infected client and actually decrypt them within Wireshark. The software is available to all as open source software under the GNU GPL license. We hope that it helps in doing further investigation and research into the Mariposa botnet. <!--more--> Special thanks to\u00a0<a href=\"http:\/\/defintel.blogspot.com\/2009\/10\/mariposa-botnet-analysis.html\" rel=\"nofollow,noopener\"  target=\"_blank\"><strong>Defence Intelligence<\/strong><\/a> for their analysis on Mariposa.<\/p>\n<p>Read on for information on installing and using the plugin.<\/p>\n<h3>Where to get it<\/h3>\n<p>The project is hosted\u00a0<a href=\"http:\/\/code.google.com\/p\/botnetdecoding\/\" rel=\"nofollow,noopener\"  target=\"_blank\"><strong>here<\/strong><\/a> on Google Code.<\/p>\n<h3>How to install it<\/h3>\n<p>Unzip the mariposa.zip file. There will be 3 files \u2013 mariposa.dll, the source file, and packet-mariposa.c. Copy the DLL into the wireshark plugin directory. For example, d:\\wireshark\\plugin. The code was compiled based on Wireshark version 1.2.2. It may work on previous versions, but there are no guarantees.<\/p>\n<h3>How to use it<\/h3>\n<p>Restart Wireshark. Open a PCAP of the Mariposa command and control traffic. Locate the traffic which you want to decypt, right-click and select\u00a0<em>Decode As\u2026<\/em><\/p>\n<p><em><a href=\"http:\/\/www.paloaltonetworks.com\/researchcenter\/wp-content\/uploads\/2009\/10\/wireshark1.gif\"><div style=\"max-width:100%\" data-width=\"516\"><span class=\"ar-custom\" style=\"padding-bottom:64.34%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"size-full wp-image-854 alignnone lozad\" title=\"wireshark1\"  data-src=\"http:\/\/www.paloaltonetworks.com\/researchcenter\/wp-content\/uploads\/2009\/10\/wireshark1.gif\" alt=\"\" width=\"516\" height=\"332\" \/><\/span><\/div><\/a><\/em><\/p>\n<p>A dialog box will appear (on the <em>Transport<\/em> tab) and you will get a list on the right side of the dialog box. Search and choose <em>MARIPOSA<\/em> and click <em>Apply<\/em>.<\/p>\n<p><a href=\"http:\/\/www.paloaltonetworks.com\/researchcenter\/wp-content\/uploads\/2009\/10\/wireshark2.gif\"><div style=\"max-width:100%\" data-width=\"439\"><span class=\"ar-custom\" style=\"padding-bottom:61.28%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"size-full wp-image-855 alignnone lozad\" title=\"wireshark2\"  data-src=\"http:\/\/www.paloaltonetworks.com\/researchcenter\/wp-content\/uploads\/2009\/10\/wireshark2.gif\" alt=\"\" width=\"439\" height=\"269\" \/><\/span><\/div><\/a><\/p>\n<p>\u201cMARIPOSA\u201d will now appear as the protocol for the associated traffic.<\/p>\n<h3>How to read it<\/h3>\n<p>In the Wireshark <em>Packet Detail<\/em> window, there is a tree named <em>MARIPOSA Protocol<\/em>, you will find <em>Opcode<\/em>, <em>Seq<\/em>, <em>Original Data<\/em>, <em>Decrypted Data<\/em>, <em>BOT cmd<\/em>, <em>BOT cmd Content<\/em> items. The <em>Decrypted Data<\/em> is probably the most interesting. Click on it to view the decrypted data.<\/p>\n<p><a href=\"http:\/\/www.paloaltonetworks.com\/researchcenter\/wp-content\/uploads\/2009\/10\/wireshark3.gif\"><div style=\"max-width:100%\" data-width=\"416\"><span class=\"ar-custom\" style=\"padding-bottom:53.13%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"alignnone size-full wp-image-856 lozad\" title=\"wireshark3\"  data-src=\"http:\/\/www.paloaltonetworks.com\/researchcenter\/wp-content\/uploads\/2009\/10\/wireshark3.gif\" alt=\"\" width=\"416\" height=\"221\" \/><\/span><\/div><\/a><\/p>\n<p>Mariposa pulling a file down from Rapidshare<\/p>\n<p><a href=\"http:\/\/www.paloaltonetworks.com\/researchcenter\/wp-content\/uploads\/2009\/10\/wireshark4.gif\"><div style=\"max-width:100%\" data-width=\"416\"><span class=\"ar-custom\" style=\"padding-bottom:53.13%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"alignnone size-full wp-image-857 lozad\" title=\"wireshark4\"  data-src=\"http:\/\/www.paloaltonetworks.com\/researchcenter\/wp-content\/uploads\/2009\/10\/wireshark4.gif\" alt=\"\" width=\"416\" height=\"221\" \/><\/span><\/div><\/a><\/p>\n<p>Receiving attack instructions<\/p>\n<p style=\"text-align: left;\"><a href=\"http:\/\/www.paloaltonetworks.com\/researchcenter\/wp-content\/uploads\/2009\/10\/wireshark5.gif\"><div style=\"max-width:100%\" data-width=\"416\"><span class=\"ar-custom\" style=\"padding-bottom:53.13%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"alignnone size-full wp-image-859 lozad\" title=\"wireshark5\"  data-src=\"http:\/\/www.paloaltonetworks.com\/researchcenter\/wp-content\/uploads\/2009\/10\/wireshark5.gif\" alt=\"\" width=\"416\" height=\"221\" \/><\/span><\/div><\/a><\/p>\n<p>A confirmation message from the infected client to the command and control server - \"Flood running\"<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As a follow up to last week\u2019s post regarding Mariposa infection research, Yamata Li of the Palo Alto Networks Threat Research Team has developed a Wireshark plugin that will allow you to &hellip;<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[49,51],"coauthors":[],"class_list":["post-842","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-mariposa","tag-threats"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/842","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=842"}],"version-history":[{"count":1,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/842\/revisions"}],"predecessor-version":[{"id":863,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/842\/revisions\/863"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=842"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=842"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=842"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=842"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}