[unisog] Apparent "encrypted" P2P botnet using port 8/tcp

Brian Eckman eckman at umn.edu
Sun Apr 30 15:31:03 GMT 2006


Fixer wrote:
> Can you just post the traffic here?  It'd be nice to see it so we know 
> what to look for...
> 
> -cdh
> 
> 
> Jonathan Glass wrote:
> 
>>I'm seeing a Chinese host scanning our network for this port.  Anybody 
>>on Unisog doing research into this from China? Only a few hosts have 
>>issued ACKs.  Brian, can I get a copy of the traffic you're seeing?
>>
>>22:54:35.086851 IP 218.16.120.122.http > A.B.C.D.8: S 
>>1388829994:1388829994(0) ack 1733890823 win 5840 <mss 1460>

<snip>


I don't want to post the traffic publicly as-is, and I don't see much
gain in taking the time to anonymize it at this point. The traffic looks
like nonsense from an ephemeral port to port 8/tcp. Infected hosts will
be making several connections per minute to other hosts on 8/tcp. If not
firewalled, several external hosts will be establishing connections to
it on its port 8/tcp each minute.

Until some bozo starts using port 8/tcp for something else, it should be
quite easy to detect infections on your network either via tcpdump or
flow analysis.

Once it has established a connection with others, the botnet seems to do
a very good job of weeding out bots that aren't online from its list. I
left a machine infected for a while, and within minutes, it was not
"scanning" at all - each outbound connection to 8/tcp on a host was to
another bot.

There are other folks looking at this too. I'm sure we'll hear more
about it soon.

Brian


More information about the unisog mailing list