[Emerging-Sigs] Interesting traffic: SID:2007671 (Binary Download Smaller than 1 MB) with Windows Update
Jonathan Scheidell
jscheidell at secnap.net
Fri Apr 18 16:17:25 EDT 2008
Sounds that way.
Another thing that was strange was when I manually set WSUS to synchronize
while I was capturing a dump it never triggered this snort alert. So the
behavior is different when running a scheduled synchronization and a manual
one.
Very tricky stuff......
On 4/18/08 3:26 PM, "Matt Jonkman" <jonkman at jonkmans.com> wrote:
> Sounds like we can assume this legitimate then. Strange though.
>
> Matt
>
> Lee Clemens wrote:
>> I am running WSUS SP1 and have seen this same behavior to the Limelight
>> Networks' CIDR block during synchronization.
>>
>>
>> -----Original Message-----
>> From: emerging-sigs-bounces at emergingthreats.net
>> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Matt Jonkman
>> Sent: Friday, April 18, 2008 1:17 PM
>> To: Jonathan Scheidell
>> Cc: emerging-sigs at emergingthreats.net
>> Subject: Re: [Emerging-Sigs] Interesting traffic: SID:2007671 (Binary
>> Download Smaller than 1 MB) with Windows Update
>>
>> Hmmm, that's very interesting. I haven't seen anything like that before.
>>
>> Could you run a full capture for those nets (or anyone else that might
>> have the same activity)?
>>
>> I'd be very interested to find out what those binaries are. If we have a
>> full pcap we can extract them and look it over.
>>
>> Matt
>>
>> Jonathan Scheidell wrote:
>>> Noticed this today. Times and occurrences coincide with WSUS
>>> synchronizations with Microsoft, however the source is not Microsoft (at
>>> least not in whois or DNS).
>>>
>>> I have seen it happen to all of the following hosts in the past month or
>> so:
>>> 192.221.98.126:80
>>> 204.160.99.123:80
>>> 208.111.160.128:80
>>> 208.111.160.20:80
>>> 208.111.161.116:80
>>> 208.111.161.51:80
>>> 208.111.162.23:80
>>> 4.23.40.125:80
>>> 4.23.51.123:80
>>> 4.23.51.126:80
>>> 68.142.101.221:80
>>> 68.142.101.240:80
>>> 68.142.101.40:80
>>> 68.142.101.55:80
>>> 68.142.101.58:80
>>> 68.142.101.84:80
>>> 68.142.101.92:80
>>> 68.142.110.226:80
>>> 8.12.132.158:80
>>>
>>> The ones that do have DNS names resolve to hosts on LimeLight Network
>>> (llnw.net). Does anyone else notice this in their environments?
>>> Microsoft acquired LimeLight some time ago and Xbox Live is hosted
>>> there. I have read some message boards were others have tracked this
>>> exact issue back to WSUS updates as well. Does Microsoft hide
>>> "reporting" statistics in the LimeLight network perhaps? This seems to
>>> only be present in WSUS version 3. If anyone else is using that version
>>> I would be interested to hear if they see the same network traffic.
>>>
>>>
>>> Payload always looks like this:
>>> length = 1460
>>>
>>> 000 : 48 54 54 50 2F 31 2E 31 20 32 30 36 20 50 61 72 HTTP/1.1 206 Par
>>> 010 : 74 69 61 6C 20 43 6F 6E 74 65 6E 74 0D 0A 43 6F tial Content..Co
>>> 020 : 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C ntent-Type: appl
>>> 030 : 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74 2D 73 74 ication/octet-st
>>> 040 : 72 65 61 6D 0D 0A 41 63 63 65 70 74 2D 52 61 6E ream..Accept-Ran
>>> 050 : 67 65 73 3A 20 62 79 74 65 73 0D 0A 53 65 72 76 ges: bytes..Serv
>>> 060 : 65 72 3A 20 4D 69 63 72 6F 73 6F 66 74 2D 49 49 er: Microsoft-II
>>> 070 : 53 2F 36 2E 30 0D 0A 58 2D 50 6F 77 65 72 65 64 S/6.0..X-Powered
>>> 080 : 2D 42 79 3A 20 41 53 50 2E 4E 45 54 0D 0A 43 6F -By: ASP.NET..Co
>>> 090 : 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 20 62 79 74 ntent-Range: byt
>>> 0a0 : 65 73 20 30 2D 32 39 38 30 34 36 2F 33 39 33 37 es 0-298046/3937
>>> 0b0 : 39 32 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 92..Content-Leng
>>> 0c0 : 74 68 3A 20 32 39 38 30 34 37 0D 0A 41 67 65 3A th: 298047..Age:
>>> 0d0 : 20 34 31 36 31 0D 0A 44 61 74 65 3A 20 46 72 69 4161..Date: Fri
>>> 0e0 : 2C 20 31 38 20 41 70 72 20 32 30 30 38 20 30 31 , 18 Apr 2008 01
>>> 0f0 : 3A 32 37 3A 34 36 20 47 4D 54 0D 0A 4C 61 73 74 :27:46 GMT..Last
>>> 100 : 2D 4D 6F 64 69 66 69 65 64 3A 20 54 68 75 2C 20 -Modified: Thu,
>>> 110 : 31 37 20 41 70 72 20 32 30 30 38 20 31 37 3A 31 17 Apr 2008 17:1
>>> 120 : 33 3A 34 30 20 47 4D 54 0D 0A 43 6F 6E 6E 65 63 3:40 GMT..Connec
>>> 130 : 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 tion: keep-alive
>>> 140 : 0D 0A 0D 0A 4D 5A 90 00 03 00 00 00 04 00 00 00 ....MZ..........
>>> 150 : FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 ............ at ...
>>> 160 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 170 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 180 : C8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C ............!..L
>>> 190 : CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 .!This program c
>>> 1a0 : 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 annot be run in
>>> 1b0 : 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 DOS mode....$...
>>> 1c0 : 00 00 00 00 0F BD 8E CD 4B DC E0 9E 4B DC E0 9E ........K...K...
>>> 1d0 : 4B DC E0 9E C8 D4 BD 9E 44 DC E0 9E 4B DC E1 9E K.......D...K...
>>> 1e0 : 20 DC E0 9E C5 D4 BF 9E 5F DC E0 9E C8 D4 BE 9E ......._.......
>>> 1f0 : 4A DC E0 9E C8 D4 BA 9E 4A DC E0 9E 52 69 63 68 J.......J...Rich
>>> 200 : 4B DC E0 9E 00 00 00 00 00 00 00 00 50 45 00 00 K...........PE..
>>> 210 : 4C 01 03 00 A6 2E 1E 42 00 00 00 00 00 00 00 00 L......B........
>>> 220 : E0 00 0F 0D 0B 01 07 0A 00 7A 00 00 00 10 00 00 .........z......
>>> 230 : 00 00 00 00 72 59 00 00 00 20 00 00 00 A0 00 00 ....rY... ......
>>> 240 : 00 00 00 01 00 20 00 00 00 02 00 00 05 00 02 00 ..... ..........
>>> 250 : 05 00 02 00 04 00 00 00 00 00 00 00 00 E0 01 00 ................
>>> 260 : 00 04 00 00 C5 9C 06 00 02 00 00 84 00 00 04 00 ................
>>> 270 : 00 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 . ..............
>>> 280 : 10 00 00 00 00 00 00 00 00 00 00 00 40 8E 00 00 ............ at ...
>>> 290 : A0 00 00 00 00 C0 01 00 30 0D 00 00 00 00 00 00 ........0.......
>>> 2a0 : 00 00 00 00 00 DE 05 00 40 24 00 00 00 00 00 00 ........@$......
>>> 2b0 : 00 00 00 00 D0 21 00 00 1C 00 00 00 00 00 00 00 .....!..........
>>> 2c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 2d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 2e0 : 00 00 00 00 00 20 00 00 C8 01 00 00 00 00 00 00 ..... ..........
>>> 2f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 300 : 00 00 00 00 2E 74 65 78 74 00 00 00 A0 78 00 00 .....text....x..
>>> 310 : 00 20 00 00 00 7A 00 00 00 04 00 00 00 00 00 00 . ...z..........
>>> 320 : 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 ........ ..`.dat
>>> 330 : 61 00 00 00 D4 10 01 00 00 A0 00 00 00 02 00 00 a...............
>>> 340 : 00 7E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .~..............
>>> 350 : 40 00 00 C0 2E 72 73 72 63 00 00 00 30 0D 00 00 @....rsrc...0...
>>> 360 : 00 C0 01 00 00 5E 05 00 00 80 00 00 00 00 00 00 .....^..........
>>> 370 : 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 ........ at ..@....
>>> 380 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 390 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 3a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 3b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 3c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 3d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 3e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 3f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 400 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 410 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 420 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 430 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 440 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 450 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 460 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 470 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 480 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 490 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 4a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 4b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 4c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 4d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 4e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 4f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 500 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 510 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 520 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 530 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>>> 540 : 00 00 00 00 AE 96 00 00 84 96 00 00 74 96 00 00 ............t...
>>> 550 : 5A 96 00 00 CA 96 00 00 E0 96 00 00 F2 96 00 00 Z...............
>>> 560 : 0A 97 00 00 26 97 00 00 3C 97 00 00 4C 97 00 00 ....&...<...L...
>>> 570 : 9A 96 00 00 00 00 00 00 11 00 00 80 00 00 00 00 ................
>>> 580 : A0 91 00 00 B0 91 00 00 BC 91 00 00 CE 91 00 00 ................
>>> 590 : E6 91 00 00 F4 91 00 00 0C 92 00 00 20 92 00 00 ............ ...
>>> 5a0 : 3A 92 00 00 4A 92 00 00 56 92 00 00 5E 92 00 00 :...J...V...^...
>>> 5b0 : 78 92 00 00 x...
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Jon Scheidell
>>>> |SECNAP Network Security
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> This email has been scanned and certified safe by SpammerTrapT.
>>> For Information please see www.spammertrap.com
>> <http://www.spammertrap.com>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
--
Jon Scheidell
Manager Operations and Support
>|SECNAP Network Security
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
More information about the Emerging-sigs
mailing list