Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 279
  • Last Modified:

Sniffing the URL requested by an app

I have an app that is requesting content from various web servers.   (its spyware)  Its playing video advertisements at me all day.   Its locked out the controls that would let me check the clip status (and therefore get the URL)  It is using windows media player.

I would like an app that I can run and it would monitor connections and tell me the URL to any content it accesses.   what would you recommend?  I've used ethereal in the past but found it a little clunky for something so single purposed
0
hibbidiji
Asked:
hibbidiji
  • 3
  • 2
  • 2
  • +3
1 Solution
 
sciwriterCommented:
If you install Adaware SE or another spyware program like it, this software will detect most of the sypware on the system, and you can simply delete the registry keys.  But before you delete them, you can go into those registry keys and find the originating server it is polling directly -- as well as using a hex editor to view the contents of any EXEs that this spyware is calling.  In most cases of spyware, the URLs that are chosen are live generated each day, or each hour, sometimes, but a spy server site, and if you can find exactly what that site is, plus the attached query, you've got a realtime hook into all the spyware content that will be delivered from the server -- say  hhtp://153a.xtp1247.axu.net/143?ax=1&td=4c

The items after the query are key to what the URL will deliver, don't miss them.  This way you have the originating hook, which seems better to me than trying to track random URLs which can, and probably will be coming from a host of other sites simply spawned by the originating site, like a diversionary tactic.
0
 
hibbidijiAuthor Commented:
I'm aware of how these rats work...  I really just need a goot lead on some way to check the urls that are being called.  I can read the GETs and figure out affiliate id etc for clickthroughs.  I am not able to read the urls in the hex because they've all been (it looks like) b64 encoded or otherwise obfuscated just enough to make it difficult to see them...  any ideas on a good sniffing app?
0
 
sciwriterCommented:
Here are some "free" ones yuo could look at --

Urlybird -- here -- http://www.5cup.com/sort2/Internet_Utilities-Tools___Utilities-122.html
packet sniffer -- http://www.packet-sniffer.net/
spy catcher -- http://www.tenebril.com/products/ghostsurf/newinspycatcher.html

Of course there is hijack this, http://www.greyknight17.com/spy/HijackThis.exe
but that really doesn't analyze much in the way of URLs, just reports the system state.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
snerkelCommented:
I would install sygate http://smb.sygate.com/download_buy.htm as part of the firewall function it logs connections and shows the application making the connection, I find this the easiest way of quickly seeing what connects to where.

Another way would be TCPview from http://www.sysinternals.com this doesn't need installing and just monitors the TCP connections of all processes and programs, again this should show wmplayer.exe and the sites it is accessing.

Both programs are free
0
 
pseudocyberCommented:
Simply run Ethereal on your machine while you're surfing.  Then, you can stop the sniff, open it, and inspect the captures to see the IP addresses and the urls - assuming they're not encrypted.
0
 
fixnixCommented:
I agree with most of the above suggestions, but as a quick-n-dirty alternative without installing anything you can open a comand prompt next time the video ad starts playing and type "netstat -o" to see all active connections to ports on your computer...as well as the process ID, click the processes tab, then view/select columns, and tick the PID box.  Then you can match up what processes have what ports.

Personally, I'd rather use utils @ sysinternals.com like snerkel suggested, but I'm suggesting this as a "nothing to install" method.
0
 
fixnixCommented:
whoops...seems I accidently cut out a line above...

"to see all active connections to ports on your computer...as well as the process ID, click the processes tab, then view/select columns, and tick the PID box."

should have said:

"to see all active connections to ports on your computer...as well as the process ID, then hit <ctrl><alt><del>, open task manager, click the processes tab, then view/select columns, and tick the PID box."

sorry for any confusion.
0
 
arosboroCommented:
When the video plays, perhaps you could check the websites that your computer is connected to with netstat in the Command Promt. You'll have to find paterns such as the port that media player is using, or a url that stands out.  Do netstat > log1.txt etc to save text files to compare.  I know, this method is really crude.  In your situation I would be using a firewall or Ethereal like you mentioned.

www.analogx.com also has some lightweight apps that do netstats and packetmonitoring
0
 
hibbidijiAuthor Commented:
I'm begining to think that This is a program I should write :)   None of the apps have done exactily what I want. Sciwriter gets the  points.  I will post later once I've written the app.
0
 
sciwriterCommented:
Do it --  hibbidiji -- There is a lot of stuff like this that needs creative talent with a fresh perspective.  Let me know how it works out....
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now