[Dshield] Malware analysis question

Brenden Walker BKWalker at drbsystems.com
Wed Mar 12 20:14:28 GMT 2008


> -----Original Message-----
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Pete Cap
> Sent: Wednesday, March 12, 2008 11:49 AM
> To: list at lists.dshield.org
> Subject: [Dshield] Malware analysis question
> 
> List,
> 
> However, I'm pretty sure that if you haven't got an IP, and 
> the binary uses TCP/IP to communicate, that you would not see 
> any traffic.  Windows would simply not pass it, it would be 
> rejected, whatever (you would see ethernet frames and 
> whatnot, DHCP requests, but no IP traffic).
> 
> Which is correct?  And, can someone please explain to me what 
> happens, on a technical or application level, when a binary 
> wants to communicate?  What does it "talk" to?  I confess 
> that I have no real idea of how this works.

I just realized I didn't properly address your last paragraph.  I'm just
a bit surprised that I can actually contribute something to this list
;-).. I'm usually just reading/learning and asking questions.

At the most basic client level an application running on most Windows
versions (I believe 95/98 used Winsock1 which is a bit different) makes
a call to WS2_32.DLL socket function to initialize a socket and then the
WS2_32.dll connect function to connect to it (the call passed in
address/port information).  Presumably specifying the broadcast address
would allow broadcast traffic in this scenario.  I haven't had any need
to implement anything that broadcasts, so no experience there.

With no local address the call to connect should blow up with an error.
Broadcast traffic in theory is different, but you would have seen that
in Wireshark even with no IP address assigned to the interface, at least
I did see DHCP and the like.



More information about the list mailing list