Port 4028 - Interesting Activity

Published: 2014-01-16
Last Updated: 2014-01-16 02:06:59 UTC
by Kevin Shortt (Version: 1)
0 comment(s)

Take a look at port 4028.    Thanks to Bill for sharing an analysis that concluded a piece of malware was an Aidra botnet client. His shared analysis asks for a deeper look at port 4028.   I found a published write up from Symantec. [1]

After looking at our port 4028 data [2], there is reason to watch for it.   Please chime in if you are seeing any traffic on port 4028.

# portascii.html
# Start Date: 2013-12-01# End Date: 2014-01-15
# Port: 4028
# created: Thu, 16 Jan 2014 01:34:07 +0000
# Date in GMT. YYYY-MM-DD format.

date	     records targets sources  tcpratio
2013-12-01	19	2	2	100
2013-12-04	18	2	2	100
2013-12-05	28	4	6	100
2013-12-06	8	2	2	100
2013-12-07	13	5	7	85
2013-12-08	9	5	7	67
2013-12-09	13	3	4	100
2013-12-10	23	5	6	100
2013-12-11	5	3	5	80
2013-12-12	19	3	3	100
2013-12-23	4	2	3	100
2013-12-25	6	2	3	100
2014-01-04	49240	45589	3	100
2014-01-05	1559	1440	40	100
2014-01-08	28910	26975	4	100
2014-01-09	6	6	3	83
2014-01-10	4531	3675	4	100
2014-01-11	76271	72307	3	100
2014-01-13	239	173	3	100
2014-01-14	195	164	6	99
2014-01-15	10	5	2	90
# (c) SANS Inst. / DShield. some rights reserved.
# Creative Commons ShareAlike License 2.5
# http://creativecommons.org/licenses/by-nc-sa/2.5/

 

[1] http://www.symantec.com/security_response/writeup.jsp?docid=2013-121118-5758-99
[2]  https://isc.sans.edu/port.html?&startdate=2013-12-17&enddate=2014-01-16&port=4028&yname=sources&y2name=targets

 

 

Keywords: Aidra botnet
0 comment(s)
ISC StormCast for Thursday, January 16th 2014 http://isc.sans.edu/podcastdetail.html?id=3782

Comments


Diary Archives