[unisog] Apparent "encrypted" P2P botnet using port 8/tcp
eckman at umn.edu
Sun Apr 30 15:31:03 GMT 2006
> Can you just post the traffic here? It'd be nice to see it so we know
> what to look for...
> Jonathan Glass wrote:
>>I'm seeing a Chinese host scanning our network for this port. Anybody
>>on Unisog doing research into this from China? Only a few hosts have
>>issued ACKs. Brian, can I get a copy of the traffic you're seeing?
>>22:54:35.086851 IP 126.96.36.199.http > A.B.C.D.8: S
>>1388829994:1388829994(0) ack 1733890823 win 5840 <mss 1460>
I don't want to post the traffic publicly as-is, and I don't see much
gain in taking the time to anonymize it at this point. The traffic looks
like nonsense from an ephemeral port to port 8/tcp. Infected hosts will
be making several connections per minute to other hosts on 8/tcp. If not
firewalled, several external hosts will be establishing connections to
it on its port 8/tcp each minute.
Until some bozo starts using port 8/tcp for something else, it should be
quite easy to detect infections on your network either via tcpdump or
Once it has established a connection with others, the botnet seems to do
a very good job of weeding out bots that aren't online from its list. I
left a machine infected for a while, and within minutes, it was not
"scanning" at all - each outbound connection to 8/tcp on a host was to
There are other folks looking at this too. I'm sure we'll hear more
about it soon.
More information about the unisog