[unisog] Apparent "encrypted" P2P botnet using port 8/tcp

Peter Van Epp vanepp at sfu.ca
Sun Apr 30 18:22:11 GMT 2006

On Sat, Apr 29, 2006 at 08:19:26PM -0500, Brian Eckman wrote:
> Some malware was seen spreading via AOL Instant Messenger (AIM) earlier
> today that appears to be using "encrypted"[1] peer-to-peer (possibly
> Waste?) as the Command and Control (C&C) mechanism. Infected hosts
> communicate with each other via port 8/TCP.

	This doesn't appear to have spread here (yet). A look at argus since 
midnight shows a handful of probes with one port or the other 8, but only
udp ntp queries are getting any response our way. A number of them are between
port 8 and port 80 (but with no associated http request and several times a
source of a host in China) but they are all from off campus with no response
from our machines (again, so far :-)). But thanks for the heads up so I'll at
least be able to speculate on why I whacked any of them that start this :-).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list