Port 80 UDP Malware
Our reader Warren informed us that his office in China was infected by a rather nasty piece of malware. It flooded the network with UDP traffic on port 80 and was not recognized by any anti-virus tool. A single infected host sent 100 UDP packets / second.
Couple more hints that may help you identify this threat:
- The UDP port 80 traffic was directed at 222.208.183.72.
- The file name used by the malware is p2psvr.exe (sorry, the binary was not preserved in the cleanup :-( ).
- the machine was also infected with PR_LOOKED.lF (according to Trend Micro).
I assume that the malware attempts to sneak past lazy firewall rules that allow port 80 tcp and udp outbound. The target does not appear to be a "special" host, but a DDoS is possible as a motive for the UDP traffic.
Reminder: if you come across odd infections like that, please preserve the malware for analysis.
Couple more hints that may help you identify this threat:
- The UDP port 80 traffic was directed at 222.208.183.72.
- The file name used by the malware is p2psvr.exe (sorry, the binary was not preserved in the cleanup :-( ).
- the machine was also infected with PR_LOOKED.lF (according to Trend Micro).
I assume that the malware attempts to sneak past lazy firewall rules that allow port 80 tcp and udp outbound. The target does not appear to be a "special" host, but a DDoS is possible as a motive for the UDP traffic.
Reminder: if you come across odd infections like that, please preserve the malware for analysis.
Keywords:
0 comment(s)
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
×
Diary Archives
Comments