The most surprising thing about Wireshark malware traffic analysis is that you’re not really looking for the malware itself, but rather the conversation it’s trying to have.
Let’s see this in action. Imagine a simple DNS query for evil.example.com. In Wireshark, this looks like:
192.168.1.100 -> 8.8.8.8 UDP, srcport 54321, dstport 53
Domain Name: evil.example.com
This is pretty straightforward. Now, consider a DNS query that isn’t for a normal domain. Malware often uses DNS as a simple channel to talk to its Command and Control (C2) server. The domain name itself might contain encoded data, or the response might.
Here’s a more complex example you might see:
192.168.1.100 -> 1.1.1.1 UDP, srcport 12345, dstport 53
Domain Name: SG93IGFyZSB5b3UgdG9kYXk_3aGVsbG8_.evil.example.com
Notice the SG93IGFyZSB5b3UgdG9kYXk_3aGVsbG8_ part. That looks like Base64. Decoding it reveals "How are you today?hello". This is a basic example of data exfiltration or a command being sent via a DNS query. The C2 server, listening at evil.example.com, would then respond, possibly with encoded instructions.
To build a mental model, think of C2 traffic as a secret handshake and whispered messages. The handshake is the initial connection, and the messages are the data exchanged. Malware needs to tell its controller what it’s found on the infected machine, and the controller needs to tell the malware what to do next. This communication needs to be stealthy, and attackers use various methods to hide it within legitimate-looking protocols.
The Problem Solved: Malware needs to communicate with its C2 server to receive commands and send back stolen data. This communication is a critical part of its lifecycle and a prime target for detection.
How it Works Internally:
- Reconnaissance/Staging: The malware might first try to discover network information or reach out to a known C2 server.
- Command and Control (C2): This is the primary communication channel. Malware sends "heartbeats" or status updates, and receives commands (e.g., "download file," "execute command," "exfiltrate data").
- Data Exfiltration: Stolen data is sent back to the attacker.
Levers You Control:
- Protocol Choice: Attackers choose protocols that blend in. DNS, HTTP/S, ICMP are common. You can filter Wireshark by
dns,http,tcp.flags.syn == 1,icmp. - Encoding/Encryption: To hide data within these protocols, attackers use Base64, XOR, or even full TLS encryption. Filtering for common encoding patterns or looking for unencrypted text within protocols that should be encrypted is key.
- Domain Generation Algorithms (DGAs): For C2 domains, attackers often use DGAs to generate a large number of domain names, making it hard to block them all. You’ll see frequent, unusual DNS queries to seemingly random domains.
- Timing and Volume: C2 traffic often has a distinct rhythm. Small, regular packets can indicate a beacon. Large, sudden bursts might signal data exfiltration.
The Mechanic Nobody Explains: Many attackers leverage the flexibility of DNS TXT records or DNS over HTTPS (DoH) to tunnel larger amounts of data. While DNS is typically for name resolution, TXT records can hold arbitrary text, and DoH routes DNS queries over HTTPS, making them appear as normal web traffic. This allows for more robust C2 communication that’s harder to distinguish from legitimate web browsing, especially if the malware uses a popular DoH resolver.
The next step is understanding how to automate the detection of these patterns rather than just spotting them manually.