Our reader Warren informed us that his office in China was infected by a rather nasty piece of malware. It flooded the network with UDP traffic on port 80 and was not recognized by any anti-virus tool. A single infected host sent 100 UDP packets / second.
Couple more hints that may help you identify this threat: - The UDP port 80 traffic was directed at 222.208.183.72. - The file name used by the malware is p2psvr.exe (sorry, the binary was not preserved in the cleanup :-( ). - the machine was also infected with PR_LOOKED.lF (according to Trend Micro). I assume that the malware attempts to sneak past lazy firewall rules that allow port 80 tcp and udp outbound. The target does not appear to be a "special" host, but a DDoS is possible as a motive for the UDP traffic. Reminder: if you come across odd infections like that, please preserve the malware for analysis. I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022 |
Johannes 4478 Posts ISC Handler Dec 1st 2006 |
Thread locked Subscribe |
Dec 1st 2006 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!