A Packet a Day

Published: 2010-09-16
Last Updated: 2010-09-16 16:51:30 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Not traveling this week, I got a bit extra time and decided to put up a couple "packet challenges". If you are following me on twitter, you may have already seen them. If not... here they are:

First one (with solution): http://johannes.homepc.org/packet1.txt

The second one (posted yesterday): http://johannes.homepc.org/packet.txt (I think I only got one decent answer for it so far, so I will keep it up a bit longer...)

A third one will be posted later today. And BTW... got packets? We always like good and interesting packets.

update: just made the new challenge live. again at http://johannes.homepc.org/packet.txt

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: packets
2 comment(s)

Comments

I think I found an error in the packet1 text.

It has 0010 hex as the DNS Flags

flags: 0010

Query / Response flag: 0 - it's a query
Opcode: 0 - standard query (4 bits)
Authoritative answer: no... its a query
Truncation flag: no... its a query
Recursion Desired: yes!
Zero: 3 bits.. always zero
Response Code: 0 ... no error

The above write up of the flags indicates that flags should be 0100.
They have bit five set which should always be a zero.
They have Recursion desired: yes This would be bit nine, not bit five.

r\
Answer to second packet:

FileName: mail.exe
size: 28864
md5 (05e3c1f54e95f13921e9dd0ace5a2a4e)

This appears to be MyDoom malware UPX packet being spread/sent via email.

The Snort signature triggered incorrectly in this case because it triggered on the BASE64 string AAAAAAAAAA not an actual OP inc ecx NOOP call.

Quick analysis:
Creates reg entry under ​HKU\...\Microsoft\Daemon

Creates the following files:
C:\DOCUME~1\unbreakable~1\LOCALS~1\Temp\zincite.log
C:\WINDOWS\java.exe
C:\WINDOWS\services.exe

Creates a services.exe thread
Tries to connect out to 16.51.193.226
Tries to connect out to 123.237.130.119

Diary Archives