Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A Packet a Day - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Packet a Day

Not traveling this week, I got a bit extra time and decided to put up a couple "packet challenges". If you are following me on twitter, you may have already seen them. If not... here they are:

First one (with solution): http://johannes.homepc.org/packet1.txt

The second one (posted yesterday): http://johannes.homepc.org/packet.txt (I think I only got one decent answer for it so far, so I will keep it up a bit longer...)

A third one will be posted later today. And BTW... got packets? We always like good and interesting packets.

update: just made the new challenge live. again at http://johannes.homepc.org/packet.txt

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022

 Johannes

4504 Posts
ISC Handler
Sep 16th 2010
Thread locked Subscribe Sep 16th 2010
1 decade ago
I think I found an error in the packet1 text.

It has 0010 hex as the DNS Flags

flags: 0010

Query / Response flag: 0 - it's a query
Opcode: 0 - standard query (4 bits)
Authoritative answer: no... its a query
Truncation flag: no... its a query
Recursion Desired: yes!
Zero: 3 bits.. always zero
Response Code: 0 ... no error

The above write up of the flags indicates that flags should be 0100.
They have bit five set which should always be a zero.
They have Recursion desired: yes This would be bit nine, not bit five.

r\
 Anonymous
Quote Sep 16th 2010
1 decade ago
Answer to second packet:

FileName: mail.exe
size: 28864
md5 (05e3c1f54e95f13921e9dd0ace5a2a4e)

This appears to be MyDoom malware UPX packet being spread/sent via email.

The Snort signature triggered incorrectly in this case because it triggered on the BASE64 string AAAAAAAAAA not an actual OP inc ecx NOOP call.

Quick analysis:
Creates reg entry under ​HKU\...\Microsoft\Daemon

Creates the following files:
C:\DOCUME~1\unbreakable~1\LOCALS~1\Temp\zincite.log
C:\WINDOWS\java.exe
C:\WINDOWS\services.exe

Creates a services.exe thread
Tries to connect out to 16.51.193.226
Tries to connect out to 123.237.130.119
 Anonymous
Quote Sep 18th 2010
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!