Wireshark-users: [Wireshark-users] Malicious software sends out mail using TLS
From: Jaap Zwanenveld <uc1972@xxxxxxxxxxx>
Date: Tue, 25 Aug 2009 16:10:21 +0200

Im fairly new to Whireshark but tried for several hours of testing and reading to find out what a malicious program sends out using TLS. What I've figured out this far is:

- program checks for ip-adress of client by visiting whatismyip.com
- program connects to ip-address using port 587 (SMTP) -> google mail server
- after connection cliend sends the STARTTLS command
- server responds with "Ready to start TLS"
- some handshaking finds place (TLS)
- the agreed cipher suite between client and server is TLS_RSA_WITH_RC4_128_MD5

After that i can see packages going from client to server and the other way around. However all the data is encrypted. I tried a lot of different things like "Follow SSL stream" and setting the RSA keys list entry using port 587 as parameter and protocol http as well as smtp. Since all my tries failed i wonder if any of you gurus can give me some pointer what to do (or tell me to stop waisting time if what I'm trying to do is not possible).

I have captured the network data when running the tool. See enclosed attachment.


Express yourself instantly with MSN Messenger! MSN Messenger

Attachment: help.pcap
Description: Binary data