Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A Packet a Day - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Packet a Day

Not traveling this week, I got a bit extra time and decided to put up a couple "packet challenges". If you are following me on twitter, you may have already seen them. If not... here they are:

First one (with solution):

The second one (posted yesterday): (I think I only got one decent answer for it so far, so I will keep it up a bit longer...)

A third one will be posted later today. And BTW... got packets? We always like good and interesting packets.

update: just made the new challenge live. again at

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4504 Posts
ISC Handler
Sep 16th 2010
I think I found an error in the packet1 text.

It has 0010 hex as the DNS Flags

flags: 0010

Query / Response flag: 0 - it's a query
Opcode: 0 - standard query (4 bits)
Authoritative answer: no... its a query
Truncation flag: no... its a query
Recursion Desired: yes!
Zero: 3 bits.. always zero
Response Code: 0 ... no error

The above write up of the flags indicates that flags should be 0100.
They have bit five set which should always be a zero.
They have Recursion desired: yes This would be bit nine, not bit five.

Answer to second packet:

FileName: mail.exe
size: 28864
md5 (05e3c1f54e95f13921e9dd0ace5a2a4e)

This appears to be MyDoom malware UPX packet being spread/sent via email.

The Snort signature triggered incorrectly in this case because it triggered on the BASE64 string AAAAAAAAAA not an actual OP inc ecx NOOP call.

Quick analysis:
Creates reg entry under ​HKU\...\Microsoft\Daemon

Creates the following files:

Creates a services.exe thread
Tries to connect out to
Tries to connect out to

Sign Up for Free or Log In to start participating in the conversation!