A Packet a Day

Published: 2010-09-16
Last Updated: 2010-09-16 16:51:30 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Not traveling this week, I got a bit extra time and decided to put up a couple "packet challenges". If you are following me on twitter, you may have already seen them. If not... here they are:

First one (with solution): http://johannes.homepc.org/packet1.txt

The second one (posted yesterday): http://johannes.homepc.org/packet.txt (I think I only got one decent answer for it so far, so I will keep it up a bit longer...)

A third one will be posted later today. And BTW... got packets? We always like good and interesting packets.

update: just made the new challenge live. again at http://johannes.homepc.org/packet.txt

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: packets
2 comment(s)


I think I found an error in the packet1 text.

It has 0010 hex as the DNS Flags

flags: 0010

Query / Response flag: 0 - it's a query
Opcode: 0 - standard query (4 bits)
Authoritative answer: no... its a query
Truncation flag: no... its a query
Recursion Desired: yes!
Zero: 3 bits.. always zero
Response Code: 0 ... no error

The above write up of the flags indicates that flags should be 0100.
They have bit five set which should always be a zero.
They have Recursion desired: yes This would be bit nine, not bit five.

Answer to second packet:

FileName: mail.exe
size: 28864
md5 (05e3c1f54e95f13921e9dd0ace5a2a4e)

This appears to be MyDoom malware UPX packet being spread/sent via email.

The Snort signature triggered incorrectly in this case because it triggered on the BASE64 string AAAAAAAAAA not an actual OP inc ecx NOOP call.

Quick analysis:
Creates reg entry under ​HKU\...\Microsoft\Daemon

Creates the following files:

Creates a services.exe thread
Tries to connect out to
Tries to connect out to

Diary Archives