How can traffic be analyzed for the presence of malware?

J

jdk2017-08-09 13:54:51

Malware

jdk, 2017-08-09 13:54:51

A simple example. I decided to enter Rostelecom's personal account at lk.rt.ru, miss-clicked and entered lkrt.ru, there was a redirect to the apycomm.com domain, then to tickets.ru with a referral link. What are the ways to make sure that nothing got on the computer during this redirection? How can you analyze the selected domain, traffic? In general, is it necessary to download a file to a computer in order for malware to get onto the computer?
If you have a way to check the traffic that passes after entering lkrt.ru, I would be grateful for the results of anti-virus diagnostics!

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

cssman, 2017-08-09
@jdk

traffic can be analyzed for malware activity. those. requests/responses to/from the botnet command center, from repositories where modules will be downloaded from, etc. in general, look for unexpected addresses in sources, destinations and try to examine the body of the packet (this is useless in 99% of cases, because the body is encrypted).
This is now about the manual method, which is very inefficient.
There are all sorts of IDS / IPS, including HIDS / HIPS, which detect based on signatures and (or) heuristics, here the efficiency is greater.
In general, in order to analyze that nothing got on the computer, monitoring network activity alone is not enough, you also need to look in the direction of AVPO.