Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Be on the Lookout: Odd DNS Traffic, Possible C&C Traffic - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Be on the Lookout: Odd DNS Traffic, Possible C&C Traffic

We got an email from one of our readers, including an interesting port 53 packet. While Wireshark and TCPDump try to decode it as DNS, it is almost certainly not DNS. 

The payload of the packet is (I obfuscated the country the user is located in):

oracle:1c6F65E41DFC:www.kmplayer.com:192.168.1.2:[country of system]:SYSTEM:Windows XP:V139

The user does not have KMPlayer or Oracle installed in his network. This looks very much like some form of command and control traffic. At this point, we do not have any malware associated with it.

Here is how tcpdump decoded the packets (again, anonymized): 

$ tcpdump -r strange-udp.pcapng -nAt
reading from file strange-udp.pcapng, link-type EN10MB (Ethernet)
IP a.b.c.d.20510 > w.x.y.z.53: 28530 updateM+ [b2&3=0x6163] [14897a] [27749q] [25398n] [17974au][|domain]
oracle:1c6F65E41DFC:www.kmplayer.com:192.168.1.2:[country]:SYSTEM:Windows XP:V139.
IP a.b.c.d.11185 > w.x.y.z.53: 28530 updateM+ [b2&3=0x6163] [14896a] [27749q] [12337n] [17988au][|domain]
oracle:001FD0309751:www.kmplayer.com:192.168.1.102:doubleup-xp:SYSTEM:Windows XP:V139

The source was an RFC 1918 address in this case, and the target was close to the user's IP address, which is why both are anonymized here. I also removed the non printable part of the payload to make it fit the screen.

I installed KMPlayer on a virtual system and didn't see any traffic like this. 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Johannes

3036 Posts
ISC Handler
We are having odd DNS issues - cannot reach some web sites: salesforce.com and travelocity.com are failing to resolve, and we are getting paged about some of our own domain's external DNS not resolving. Both we are Salesforce are hosted at UltraDNS.

Other users seeing similar issues:
http://www.isitdownrightnow.com/salesforce.com.html#commentstop
Anonymous

Posts
After capturing just a couple of minutes, there are several packets to a number of IPs with content similar to those in the original post:

a.b.c.d.51892 > x.y.z.nnn.53: 18245 updateD [b2&3=0x5420] [18516a] [12064q] [21584n] [12081au][|domain]
E..9.1....R..MO".p.....5.%..GET / HTTP/1.1
Host: www

----
JS
JanS

10 Posts Posts
That's interesting JS. It looks different from what Dr J had posted. HTTP on port 53 fits into the "suspicious" category. Would you be willing to send in a pcap to us via the contact form?

-KL
Kevin Liston

280 Posts Posts
ISC Handler
Has More of this traffic been seen?

I am seeing traffic similar to JS

Example:
a.b.c.d.39592 > x.y.z.nnn.domain: [no cksum] 18245 updateD [b2&3=0x5420] [18516a] [12064q] [21584n] [12081au][|domain] (ttl 243, id 54321, len 57)
0000: 4500 0039 d431 0000 f311 0350 daf1 62c6 E..9.1.....P..b.
0010: 3f87 72f3 9aa8 0035 0025 0000 4745 5420 ?.r....5.%..GET
0020: 2f20 4854 5450 2f31 2e31 0d0a 486f 7374 / HTTP/1.1..Host
0030: 3a20 7777 770d 0a0d 0a : www....

----
MB
MB

2 Posts Posts
do you have more then one packet of this traffic? I can think of two explanations: Tunneling HTTP over DNS, in which case we should see the full request in subsequent packets, or it is a broken tool that does a DNS lookup on the header vs. just the host name.
Johannes

3036 Posts Posts
ISC Handler
I have multiple packets but never more then that one to a single host.
Multiple hosts are receiving this traffic.

--
MB
MB

2 Posts Posts
This traffic is almost certainly from someone using a tool built on Python's scapy module.

Note the updateM+ string in the destination

source
--------------------
from scapy.all import *
a = IP(src="1.1.1.1",dst="2.2.2.2")
u = UDP(dport=514)
pay = "anything goes here is gets mangled"
packet = a/u/pay
packet.display()
send(packet)


destination
--------------------
[user@2.2.2.2 ~]$ sud/usr/sbin/tcpdump port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:27:25.437689 IP 1.1.1.1.domain > 2.2.2.2.syslog: 16757 updateM+ [b2&3=0x6720] [12592a] [12576q] [14896n] [12346au][|domain]
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!