|
Not traveling this week, I got a bit extra time and decided to put up a couple "packet challenges". If you are following me on twitter, you may have already seen them. If not... here they are: First one (with solution): http://johannes.homepc.org/packet1.txt The second one (posted yesterday): http://johannes.homepc.org/packet.txt (I think I only got one decent answer for it so far, so I will keep it up a bit longer...) A third one will be posted later today. And BTW... got packets? We always like good and interesting packets. update: just made the new challenge live. again at http://johannes.homepc.org/packet.txt ------ |
Johannes 3834 Posts ISC Handler |
| Subscribe |
Sep 16th 2010 9 years ago |
|
I think I found an error in the packet1 text.
It has 0010 hex as the DNS Flags flags: 0010 Query / Response flag: 0 - it's a query Opcode: 0 - standard query (4 bits) Authoritative answer: no... its a query Truncation flag: no... its a query Recursion Desired: yes! Zero: 3 bits.. always zero Response Code: 0 ... no error The above write up of the flags indicates that flags should be 0100. They have bit five set which should always be a zero. They have Recursion desired: yes This would be bit nine, not bit five. r\ |
Anonymous |
| Quote |
Sep 16th 2010 9 years ago |
|
Answer to second packet:
FileName: mail.exe size: 28864 md5 (05e3c1f54e95f13921e9dd0ace5a2a4e) This appears to be MyDoom malware UPX packet being spread/sent via email. The Snort signature triggered incorrectly in this case because it triggered on the BASE64 string AAAAAAAAAA not an actual OP inc ecx NOOP call. Quick analysis: Creates reg entry under ​HKU\...\Microsoft\Daemon Creates the following files: C:\DOCUME~1\unbreakable~1\LOCALS~1\Temp\zincite.log C:\WINDOWS\java.exe C:\WINDOWS\services.exe Creates a services.exe thread Tries to connect out to 16.51.193.226 Tries to connect out to 123.237.130.119 |
Anonymous |
| Quote |
Sep 18th 2010 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!
