Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 80 UDP Malware SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 80 UDP Malware
Our reader Warren informed us that his office in China was infected by a rather nasty piece of malware. It flooded the network with UDP traffic on port 80 and was not recognized by any anti-virus tool. A single infected host sent 100 UDP packets / second.

Couple more hints that may help you identify this threat:

- The UDP port 80 traffic was directed at 222.208.183.72.
- The file name used by the malware is p2psvr.exe (sorry, the binary was not preserved in the cleanup :-( ).
- the machine was also infected with PR_LOOKED.lF (according to Trend Micro).

I assume that the malware attempts to sneak past lazy firewall rules that allow port 80 tcp and udp outbound. The target does not appear to be a "special" host, but a DDoS is possible as a motive for the UDP traffic.

Reminder: if you come across odd infections like that, please preserve the malware for analysis.

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3695 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!