[Dshield] Strange UDP traffic

jonkman at jonkmans.com jonkman at jonkmans.com
Thu Mar 20 15:26:13 GMT 2008


I recognize that. Its a cnc channel from a trojan I ust wrote rules for a week or so ago. I don't recall its name off hand but will find it when I get back to the office. 

In the meantime if you run the emergingthreats.net virus sigs it'll likely I'd it right off. This was a very unique one. 

Matt
Sent via BlackBerry by AT&T

-----Original Message-----
From: "Jon R. Kibler" <Jon.Kibler at aset.com>

Date: Thu, 20 Mar 2008 14:36:41 
To:list at lists.dshield.org
Subject: [Dshield] Strange UDP traffic


All,

Just implemented new firewall rules at a customer site and immediately started
to block strange UDP traffic. It is originating from a few different windows
boxes. Each of the systems is sending the exact identical traffic to a few target
IPs. There is one packet every 30 seconds per system. Below is a sample.
Destination port appears to always be the same.

Anyone have a clue what this traffic is all about? It is only coming from only
a couple of systems out of about 200.

TIA for help!

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
(843) 849-8214


Frame 17 (64 bytes on wire, 64 bytes captured)
     Arrival Time: Mar 20, 2008 14:13:59.698973000
     [Time delta from previous captured frame: 30.209030000 seconds]
     [Time delta from previous displayed frame: 30.209030000 seconds]
     [Time since reference or first frame: 483.397740000 seconds]
     Frame Number: 17
     Frame Length: 64 bytes
     Capture Length: 64 bytes
     [Frame is marked: False]
     [Protocols in frame: eth:ip:udp:data]
Ethernet II, Src: Intel_88:c8:41 (00:19:d1:88:c8:41), Dst: Cisco_88:8a:f0 (00:17:5a:88:8a:f0)
     Destination: Cisco_88:8a:f0 (00:17:5a:88:8a:f0)
         Address: Cisco_88:8a:f0 (00:17:5a:88:8a:f0)
         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
     Source: Intel_88:c8:41 (00:19:d1:88:c8:41)
         Address: Intel_88:c8:41 (00:19:d1:88:c8:41)
         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
     Type: IP (0x0800)
Internet Protocol, Src: 10.8.100.97 (10.8.100.97), Dst: 209.234.245.12 (209.234.245.12)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 50
     Identification: 0x30c8 (12488)
     Flags: 0x00
         0... = Reserved bit: Not set
         .0.. = Don't fragment: Not set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 128
     Protocol: UDP (0x11)
     Header checksum: 0xd492 [correct]
         [Good: True]
         [Bad : False]
     Source: 10.8.100.97 (10.8.100.97)
     Destination: 209.234.245.12 (209.234.245.12)
User Datagram Protocol, Src Port: voispeed-port (3541), Dst Port: 25121 (25121)
     Source port: voispeed-port (3541)
     Destination port: 25121 (25121)
     Length: 30
     Checksum: 0xc176 [correct]
         [Good Checksum: True]
         [Bad Checksum: False]
Data (22 bytes)

0000  01 02 00 16 dc f2 21 f5 01 00 00 00 08 02 bf 60   ......!........`
0010  0a 08 64 61 62 18                                 ..dab.
     Data: 01020016DCF221F5010000000802BF600A0864616218







==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.


_________________________________________
SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans.  http://www.sans.org/info/15826




More information about the list mailing list