Our reader Warren informed us that his office in China was infected by a rather nasty piece of malware. It flooded the network with UDP traffic on port 80 and was not recognized by any anti-virus tool. A single infected host sent 100 UDP packets / second.
Couple more hints that may help you identify this threat:
- The UDP port 80 traffic was directed at 22.214.171.124.
- The file name used by the malware is p2psvr.exe (sorry, the binary was not preserved in the cleanup :-( ).
- the machine was also infected with PR_LOOKED.lF (according to Trend Micro).
I assume that the malware attempts to sneak past lazy firewall rules that allow port 80 tcp and udp outbound. The target does not appear to be a "special" host, but a DDoS is possible as a motive for the UDP traffic.
Reminder: if you come across odd infections like that, please preserve the malware for analysis.
I will be teaching next: Intrusion Detection In-Depth - SANS London September 2019
Dec 1st 2006
1 decade ago