Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Port 80 UDP Malware - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 80 UDP Malware
Our reader Warren informed us that his office in China was infected by a rather nasty piece of malware. It flooded the network with UDP traffic on port 80 and was not recognized by any anti-virus tool. A single infected host sent 100 UDP packets / second.

Couple more hints that may help you identify this threat:

- The UDP port 80 traffic was directed at 222.208.183.72.
- The file name used by the malware is p2psvr.exe (sorry, the binary was not preserved in the cleanup :-( ).
- the machine was also infected with PR_LOOKED.lF (according to Trend Micro).

I assume that the malware attempts to sneak past lazy firewall rules that allow port 80 tcp and udp outbound. The target does not appear to be a "special" host, but a DDoS is possible as a motive for the UDP traffic.

Reminder: if you come across odd infections like that, please preserve the malware for analysis.

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3534 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!