[Emerging-Sigs] observation on 2008041 and 2008042

Matt Jonkman jonkman at jonkmans.com
Tue Mar 25 14:17:21 EST 2008 

I'm currently looking at 6 different and new UDP c&c's in teh sandnet. 
Still trying to find patterns to make sigs. Several we've already 
released sigs for (medbod, etc).

No other sigs hit there I assume?

You able to give me a full pcap? Might help correlate to existing samples.

Thanks Jack

Matt

Jack Pepper wrote:
> the machines that hit on 2008041 or 2008042 *also* have this  
> interesting looking UDP traffic:
> 
> 12:46:09.878059 IP 172.16.1.35.2087 > 65.31.211.35.3533: UDP, length 292
>          0x0000:  4500 0140 49d7 0000 8011 2e60 ac10 0123  E.. at I......`...#
>          0x0010:  411f d323 0827 0dcd 012c ec6f ef81 c3a2  A..#.'...,.o....
>          0x0020:  0000 5e65 1fb7 27da b2ac a13e 7aee cf09  ..^e..'....>z...
>          0x0030:  acf8 3f5e d2a5 0eb2 6d6c 8e95 43ea 11f1  ..?^....ml..C...
>          0x0040:  023b 6f24 c7a8 9d28 db45 b88c 0711 dd03  .;o$...(.E......
> 12:46:09.878063 IP 172.16.1.35.2087 > 70.129.226.182.4002: UDP, length 292
>          0x0000:  4500 0140 49d8 0000 8011 196a ac10 0123  E.. at I......j...#
>          0x0010:  4681 e2b6 0827 0fa2 012c 3658 f688 666e  F....'...,6X..fn
>          0x0020:  0000 58a8 c518 44b5 8477 49ac c3dd 6270  ..X...D..wI...bp
>          0x0030:  0854 a37c d11d 61c9 f8b9 7b72 4729 faf4  .T.|..a...{rG)..
>          0x0040:  c45c 204a 3034 6ffb c646 1e13 eeb2 7656  .\.J04o..F....vV
> 12:46:09.878355 IP 172.16.1.35.2087 > 69.149.164.155.60199: UDP, length 292
>          0x0000:  4500 0140 49d9 0000 7f11 5970 ac10 0123  E.. at I.....Yp...#
>          0x0010:  4595 a49b 0827 eb27 012c 7b82 9bb7 b8d7  E....'.'.,{.....
>          0x0020:  0000 6731 f772 e410 6b7b bdb2 b8ca accf  ..g1.r..k{......
>          0x0030:  4060 7edc cbc6 b22b 75cf b379 f128 35ef  @`~....+u..y.(5.
>          0x0040:  3b61 d55f 2f0d fb3e bebb a413 c29d 7029  ;a._/..>......p)
> 12:46:09.878360 IP 172.16.1.35.2087 > 69.149.164.155.60199: UDP, length 292
>          0x0000:  4500 0140 49d9 0000 8011 5870 ac10 0123  E.. at I.....Xp...#
>          0x0010:  4595 a49b 0827 eb27 012c 7b82 9bb7 b8d7  E....'.'.,{.....
>          0x0020:  0000 6731 f772 e410 6b7b bdb2 b8ca accf  ..g1.r..k{......
>          0x0030:  4060 7edc cbc6 b22b 75cf b379 f128 35ef  @`~....+u..y.(5.
>          0x0040:  3b61 d55f 2f0d fb3e bebb a413 c29d 7029  ;a._/..>......p)
> 
> 
> always 292 bytes.  All the remotes appear to be dialup or DSL.   
> anybody else seeing this?
> 
> jp

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list