My next class:

Port 80 UDP Malware

Published: 2006-12-01. Last Updated: 2006-12-01 14:47:57 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Our reader Warren informed us that his office in China was infected by a rather nasty piece of malware. It flooded the network with UDP traffic on port 80 and was not recognized by any anti-virus tool. A single infected host sent 100 UDP packets / second.

Couple more hints that may help you identify this threat:

- The UDP port 80 traffic was directed at 222.208.183.72.
- The file name used by the malware is p2psvr.exe (sorry, the binary was not preserved in the cleanup :-( ).
- the machine was also infected with PR_LOOKED.lF (according to Trend Micro).

I assume that the malware attempts to sneak past lazy firewall rules that allow port 80 tcp and udp outbound. The target does not appear to be a "special" host, but a DDoS is possible as a motive for the UDP traffic.

Reminder: if you come across odd infections like that, please preserve the malware for analysis.

Keywords:
0 comment(s)
My next class:

Comments


Diary Archives