Thursday, December 29, 2011

Decoding malware SSL using Burp proxy

When performing dynamic analysis of malware, you will occasionally encounter SSL being utilized for network communication, thus preventing you from analyzing the content.  Typically Wireshark is utilized to examine network traffic at the packet level. Wireshark has an SSL dissector that allows for the decryption of SSL traffic if you provide the decryption keys. This technique is described in detail on the Wireshark wiki.   However, I prefer to use an intercepting proxy to attempt the SSL analysis. The proxy will use its own SSL server certificate to negotiate and establish an encrypted session with the remote host. Essentially you are using the proxy to "Man-in-the-Middle" the malware's connection to the remote server.....

read the complete article here


Share It

Popular Posts