[Emerging-Sigs] Interesting traffic: SID:2007671 (Binary Download Smaller than 1 MB) with Windows Update

Jonathan Scheidell jscheidell at secnap.net
Fri Apr 18 12:44:29 EDT 2008 

Noticed this today.  Times and occurrences coincide with WSUS
synchronizations with Microsoft, however the source is not Microsoft (at
least not in whois or DNS).

I have seen it happen to all of the following hosts in the past month or so:
192.221.98.126:80
204.160.99.123:80
208.111.160.128:80
208.111.160.20:80
208.111.161.116:80
208.111.161.51:80
208.111.162.23:80
4.23.40.125:80
4.23.51.123:80
4.23.51.126:80
68.142.101.221:80
68.142.101.240:80
68.142.101.40:80
68.142.101.55:80
68.142.101.58:80
68.142.101.84:80
68.142.101.92:80
68.142.110.226:80
8.12.132.158:80

The ones that do have DNS names resolve to hosts on LimeLight Network
(llnw.net).  Does anyone else notice this in their environments?  Microsoft
acquired LimeLight some time ago and Xbox Live is hosted there.  I have read
some message boards were others have tracked this exact issue back to WSUS
updates as well.  Does Microsoft hide ³reporting² statistics in the
LimeLight network perhaps?  This seems to only be present in WSUS version 3.
If anyone else is using that version I would be interested to hear if they
see the same network traffic.


Payload always looks like this:
length = 1460

000 : 48 54 54 50 2F 31 2E 31 20 32 30 36 20 50 61 72   HTTP/1.1 206 Par
010 : 74 69 61 6C 20 43 6F 6E 74 65 6E 74 0D 0A 43 6F   tial Content..Co
020 : 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C   ntent-Type: appl
030 : 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74 2D 73 74   ication/octet-st
040 : 72 65 61 6D 0D 0A 41 63 63 65 70 74 2D 52 61 6E   ream..Accept-Ran
050 : 67 65 73 3A 20 62 79 74 65 73 0D 0A 53 65 72 76   ges: bytes..Serv
060 : 65 72 3A 20 4D 69 63 72 6F 73 6F 66 74 2D 49 49   er: Microsoft-II
070 : 53 2F 36 2E 30 0D 0A 58 2D 50 6F 77 65 72 65 64   S/6.0..X-Powered
080 : 2D 42 79 3A 20 41 53 50 2E 4E 45 54 0D 0A 43 6F   -By: ASP.NET..Co
090 : 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 20 62 79 74   ntent-Range: byt
0a0 : 65 73 20 30 2D 32 39 38 30 34 36 2F 33 39 33 37   es 0-298046/3937
0b0 : 39 32 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67   92..Content-Leng
0c0 : 74 68 3A 20 32 39 38 30 34 37 0D 0A 41 67 65 3A   th: 298047..Age:
0d0 : 20 34 31 36 31 0D 0A 44 61 74 65 3A 20 46 72 69    4161..Date: Fri
0e0 : 2C 20 31 38 20 41 70 72 20 32 30 30 38 20 30 31   , 18 Apr 2008 01
0f0 : 3A 32 37 3A 34 36 20 47 4D 54 0D 0A 4C 61 73 74   :27:46 GMT..Last
100 : 2D 4D 6F 64 69 66 69 65 64 3A 20 54 68 75 2C 20   -Modified: Thu,
110 : 31 37 20 41 70 72 20 32 30 30 38 20 31 37 3A 31   17 Apr 2008 17:1
120 : 33 3A 34 30 20 47 4D 54 0D 0A 43 6F 6E 6E 65 63   3:40 GMT..Connec
130 : 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65   tion: keep-alive
140 : 0D 0A 0D 0A 4D 5A 90 00 03 00 00 00 04 00 00 00   ....MZ..........
150 : FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00   ............ at ...
160 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
170 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
180 : C8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C   ............!..L
190 : CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63   .!This program c
1a0 : 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20   annot be run in
1b0 : 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00   DOS mode....$...
1c0 : 00 00 00 00 0F BD 8E CD 4B DC E0 9E 4B DC E0 9E   ........K...K...
1d0 : 4B DC E0 9E C8 D4 BD 9E 44 DC E0 9E 4B DC E1 9E   K.......D...K...
1e0 : 20 DC E0 9E C5 D4 BF 9E 5F DC E0 9E C8 D4 BE 9E    ......._.......
1f0 : 4A DC E0 9E C8 D4 BA 9E 4A DC E0 9E 52 69 63 68   J.......J...Rich
200 : 4B DC E0 9E 00 00 00 00 00 00 00 00 50 45 00 00   K...........PE..
210 : 4C 01 03 00 A6 2E 1E 42 00 00 00 00 00 00 00 00   L......B........
220 : E0 00 0F 0D 0B 01 07 0A 00 7A 00 00 00 10 00 00   .........z......
230 : 00 00 00 00 72 59 00 00 00 20 00 00 00 A0 00 00   ....rY... ......
240 : 00 00 00 01 00 20 00 00 00 02 00 00 05 00 02 00   ..... ..........
250 : 05 00 02 00 04 00 00 00 00 00 00 00 00 E0 01 00   ................
260 : 00 04 00 00 C5 9C 06 00 02 00 00 84 00 00 04 00   ................
270 : 00 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00   . ..............
280 : 10 00 00 00 00 00 00 00 00 00 00 00 40 8E 00 00   ............ at ...
290 : A0 00 00 00 00 C0 01 00 30 0D 00 00 00 00 00 00   ........0.......
2a0 : 00 00 00 00 00 DE 05 00 40 24 00 00 00 00 00 00   ........@$......
2b0 : 00 00 00 00 D0 21 00 00 1C 00 00 00 00 00 00 00   .....!..........
2c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
2d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
2e0 : 00 00 00 00 00 20 00 00 C8 01 00 00 00 00 00 00   ..... ..........
2f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
300 : 00 00 00 00 2E 74 65 78 74 00 00 00 A0 78 00 00   .....text....x..
310 : 00 20 00 00 00 7A 00 00 00 04 00 00 00 00 00 00   . ...z..........
320 : 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74   ........ ..`.dat
330 : 61 00 00 00 D4 10 01 00 00 A0 00 00 00 02 00 00   a...............
340 : 00 7E 00 00 00 00 00 00 00 00 00 00 00 00 00 00   .~..............
350 : 40 00 00 C0 2E 72 73 72 63 00 00 00 30 0D 00 00   @....rsrc...0...
360 : 00 C0 01 00 00 5E 05 00 00 80 00 00 00 00 00 00   .....^..........
370 : 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00   ........ at ..@....
380 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
390 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
400 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
410 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
420 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
430 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
440 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
450 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
460 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
470 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
480 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
490 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
4a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
4b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
4c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
4d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
4e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
4f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
500 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
510 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
520 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
530 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
540 : 00 00 00 00 AE 96 00 00 84 96 00 00 74 96 00 00   ............t...
550 : 5A 96 00 00 CA 96 00 00 E0 96 00 00 F2 96 00 00   Z...............
560 : 0A 97 00 00 26 97 00 00 3C 97 00 00 4C 97 00 00   ....&...<...L...
570 : 9A 96 00 00 00 00 00 00 11 00 00 80 00 00 00 00   ................
580 : A0 91 00 00 B0 91 00 00 BC 91 00 00 CE 91 00 00   ................
590 : E6 91 00 00 F4 91 00 00 0C 92 00 00 20 92 00 00   ............ ...
5a0 : 3A 92 00 00 4A 92 00 00 56 92 00 00 5E 92 00 00   :...J...V...^...
5b0 : 78 92 00 00                                       x...





-- 
Jon Scheidell
>|SECNAP Network Security





_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080418/315b7939/attachment.html

More information about the Emerging-sigs mailing list