RE: Malformed DNS or something odd (or just me)

From: James C Slora Jr (Jim.Slora_at_phra.com)
Date: 04/09/04

  • Next message: Jason High: "incident tracking software"
    To: "'Steven Trewick'" <STrewick@joplings.co.uk>, <incidents@securityfocus.com>
    Date: Fri, 9 Apr 2004 16:02:02 -0400
    
    

    Steven Trewick wrote Wednesday, April 07, 2004 09:45

    > Over the last week or so I have seen what looks (to my
    > untrained eye) like some kind of funky, malicious or
    > malformed DNS traffic turning up at my network borders.

    I am familiar with this traffic, but don't know what specifically causes it.
    I've been receiving it for several months on one address, and have had
    discussions with several other people who have observed very similar
    traffic.

    There are several different similar types of probes, but the traffic you
    listed is pretty much an exact match for one set I have been watching
    occasionally.

    What typifies the probes I'm talking about is:
    - Paired probes to UDP 53 and another UDP port.
    - The second UDP port is identical for all probes to any target address.
    - The second UDP port is different for every target address, so it is
    probably calculated from the target IP address.

    Here is what I think I've learned from the packets so far (not too much,
    sorry).

    - The payloads of the packets generally have IP addresses embedded in them.

    - The UDP 53 traffic is not valid DNS traffic at all (the longer packets
    cause all sorts of complaints in Ethereal to back this up.

    - The sender usually sends identical payloads to UDP 53 and the other port
    in pairs.

    - The packets are not a response to anything on the target (no trojan is
    soliciting them). The target address may have originally been added to the
    target list because of some trojan, but continued target membership does not
    depend on any outbound traffic. The traffic continues identically whether I
    put a router or a PC at that address. The only thing that makes it stop is
    changing IP addresses entirely.

    - The data in the long packets is binary, and does not seem to add up to
    anything coherent in the traffic I've watched. This leads me to believe it
    is encrypted traffic. I have not put any work into figuring out how to
    decrypt it.

    > [**] ** Unknown UDP ** [**]
    > 04/03-20:33:42.506542 62.253.119.103:41601 -> 192.168.0.88:5301
    > UDP TTL:112 TOS:0x0 ID:53537 IpLen:20 DgmLen:40
    > Len: 12
    > 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&...
    >
    > [**] ** Unknown UDP ** [**]
    > 04/03-20:33:42.525759 62.253.119.103:41601 -> 192.168.0.88:53
    > UDP TTL:112 TOS:0x0 ID:53793 IpLen:20 DgmLen:40
    > Len: 12
    > 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&...

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    ----------------------------------------------------------------------------


  • Next message: Jason High: "incident tracking software"

    Relevant Pages

    • Re: Problem connecting to VxWorks Target Agent
      ... Netmask 0xffff0000 Subnetmask 0xffff0000 ... 11 packets received; 4 packets sent ... do the packets actually reach the target or you just see the ... If you can successfully ping the target, it could be a target server ...
      (comp.os.vxworks)
    • Not able to connect to Device using Platform Builder
      ... have got the EBOOT running till the point that it is broadcasting the BOOTME ... packets and in response expecting to receive the response packets through ... I am able to detect the device in platform builder 5, as I am able to see ... Basic issue I am seeing is that on target, there is no UDP packets received ...
      (microsoft.public.windowsce.embedded)
    • Re: Multiple UDP connections in xPC Target?
      ... I wouldn't be so sure that 10 Mbit is fast enough to pass your traffic. ... So, if you send 2 small UDP packets on each time step, and another ... Consider switching to a 100 Mbit LAN card on the target. ... Collect N messages and put them all in the same UDP packet, ...
      (comp.soft-sys.matlab)
    • Re: Problem connecting to VxWorks Target Agent
      ... Netmask 0xffff0000 Subnetmask 0xffff0000 ... 11 packets received; 4 packets sent ... Is the ping from the host successful? ... do the packets actually reach the target or you just see the ...
      (comp.os.vxworks)
    • Re: UDP concept help please
      ... > I'm trying to write a program to capture as much traffic as possible ... > from a UDP port. ... bunch of packets on connectionless protocols. ... You could try something like that just to see if it's a receiver ...
      (comp.unix.programmer)