[Intrusions] unusual activity on IP based ports?
James C Slora
Jim.Slora at phra.com
Wed Aug 3 13:07:13 GMT 2005
> any chance someone has seen some malware that hashes
> the IP its probing to come up with a unique port?
Yes, this has been going on widely for at least a year and a half. There are
dozens of botnet varieties that do this, and it is a technique that can be
built into any tool of course. Randex is one example that often uses the
technique you describe. If you look at bot or RAT descriptions and find
"opens a random port", this often indicates the open port is some function
of the IP address. Thus machines can be probed blindly for the RAT while not
having a standard port.
So the technique itself does not point to anything specific, but packet
captures may shed some more light, especially if you have something answer
the probes.
More information about the Intrusions
mailing list