Be on the Lookout: Odd DNS Traffic, Possible C&C Traffic
We got an email from one of our readers, including an interesting port 53 packet. While Wireshark and TCPDump try to decode it as DNS, it is almost certainly not DNS.
The payload of the packet is (I obfuscated the country the user is located in):
oracle:1c6F65E41DFC:www.kmplayer.com:192.168.1.2:[country of system]:SYSTEM:Windows XP:V139
The user does not have KMPlayer or Oracle installed in his network. This looks very much like some form of command and control traffic. At this point, we do not have any malware associated with it.
Here is how tcpdump decoded the packets (again, anonymized):
$ tcpdump -r strange-udp.pcapng -nAt
reading from file strange-udp.pcapng, link-type EN10MB (Ethernet)
IP a.b.c.d.20510 > w.x.y.z.53: 28530 updateM+ [b2&3=0x6163] [14897a] [27749q] [25398n] [17974au][|domain]
oracle:1c6F65E41DFC:www.kmplayer.com:192.168.1.2:[country]:SYSTEM:Windows XP:V139.
IP a.b.c.d.11185 > w.x.y.z.53: 28530 updateM+ [b2&3=0x6163] [14896a] [27749q] [12337n] [17988au][|domain]
oracle:001FD0309751:www.kmplayer.com:192.168.1.102:doubleup-xp:SYSTEM:Windows XP:V139
The source was an RFC 1918 address in this case, and the target was close to the user's IP address, which is why both are anonymized here. I also removed the non printable part of the payload to make it fit the screen.
I installed KMPlayer on a virtual system and didn't see any traffic like this.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
Other users seeing similar issues:
http://www.isitdownrightnow.com/salesforce.com.html#commentstop
Anonymous
Apr 30th 2014
1 decade ago
a.b.c.d.51892 > x.y.z.nnn.53: 18245 updateD [b2&3=0x5420] [18516a] [12064q] [21584n] [12081au][|domain]
E..9.1....R..MO".p.....5.%..GET / HTTP/1.1
Host: www
----
JS
Anonymous
May 3rd 2014
1 decade ago
-KL
Anonymous
May 4th 2014
1 decade ago
I am seeing traffic similar to JS
Example:
a.b.c.d.39592 > x.y.z.nnn.domain: [no cksum] 18245 updateD [b2&3=0x5420] [18516a] [12064q] [21584n] [12081au][|domain] (ttl 243, id 54321, len 57)
0000: 4500 0039 d431 0000 f311 0350 daf1 62c6 E..9.1.....P..b.
0010: 3f87 72f3 9aa8 0035 0025 0000 4745 5420 ?.r....5.%..GET
0020: 2f20 4854 5450 2f31 2e31 0d0a 486f 7374 / HTTP/1.1..Host
0030: 3a20 7777 770d 0a0d 0a : www....
----
MB
Anonymous
Jun 18th 2014
1 decade ago
Anonymous
Jun 18th 2014
1 decade ago
Multiple hosts are receiving this traffic.
--
MB
Anonymous
Jun 18th 2014
1 decade ago
Note the updateM+ string in the destination
source
--------------------
from scapy.all import *
a = IP(src="1.1.1.1",dst="2.2.2.2")
u = UDP(dport=514)
pay = "anything goes here is gets mangled"
packet = a/u/pay
packet.display()
send(packet)
destination
--------------------
[user@2.2.2.2 ~]$ sud/usr/sbin/tcpdump port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:27:25.437689 IP 1.1.1.1.domain > 2.2.2.2.syslog: 16757 updateM+ [b2&3=0x6720] [12592a] [12576q] [14896n] [12346au][|domain]
Anonymous
Sep 24th 2015
9 years ago