Home page logo
/

basics logo Security Basics mailing list archives

Re: Zombie / Botnet?
From: Trojacek <trojacek () gmail com>
Date: Tue, 10 Nov 2009 20:05:15 +0000

This reminds me of a few rather hilarious scenarios I recall from
several years ago. Well, hilarious from my point of view at that time.

I was performing an audit at that time and was informed by some of the
sys admins that AV would take care of whatever spyware problems, etc.
they would have. Tried to convince them otherwise. Went out to the
field and it was current definitions with happy fun fun spyware/worms
as you indicate below. I guess the great wall of China does not always
keep the Hun army out.

What is even more fun is to connect a vulnerable computer to the
Internet through a slower modem connection. It is fun to watch the
"slow motion" infection occur real time.





On Tue, Nov 10, 2009 at 5:49 PM, Jay Vlavianos
<jvlavianos () ecastnetwork com> wrote:
McAfee is, by no means, a silver bullet. There are various attacks on
the AV product itself that can mask infection and there are other
methods of zombification that are not detected via AV.

Disable system restore points and reboot to a bootable cd with
malware / AV scanning to verify.

Massive UDP could be an RTP broadcast but it would not be directed at
root servers so your initial thoughts of a ddos are probably correct.

-Jay

On Nov 10, 2009, at 9:36 AM, "Tony Raboza" <tonyraboza () gmail com> wrote:

Hi,

One of our workstations is broadcasting a huge amount of UDP traffic
(around 5Mbps) and I'm thinking it could be a zombied computer doing
DDOS as directed by its controller.  But the weird thing is - it has
an updated McAfee AV with HIPS ??  Why was this not detected - or
could I be reading this wrong?  Here's a portion of the tcpdump:

14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr:
UDP, length 1000
14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP,
length 1000
14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496:
UDP, length 1000
14:00:20.521733 IP 192.168.10.10.brcm-comm-port >
b.root-servers.net.4710: UDP, length 1000
14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826:
UDP, length 1000
14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997:
UDP, length 1000
14:00:20.525251 IP 192.168.10.10.csvr-sslproxy >
E.ROOT-SERVERS.NET.funk-license: UDP, length 1000
14:00:20.526385 IP 192.168.10.10.firemonrcc >
f.root-servers.net.sonuscallsig: UDP, length 1000
14:00:20.527798 IP 192.168.10.10.spandataport >
G.ROOT-SERVERS.NET.4130: UDP, length 1000
14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp:
UDP, length 1000
14:00:20.529947 IP 192.168.10.10.ncu-1 >
i.root-servers.net.direcpc-dll: UDP, length 1000
14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer:
UDP, length 1000
14:00:20.538422 IP 192.168.10.10.embrace-dp-s >
77.91.227.67.bluelance: UDP, length 1000
14:00:20.538712 IP 192.168.10.10.embrace-dp-c >
a.root-servers.net.embrace-dp-s: UDP, length 1000
14:00:20.540010 IP 192.168.10.10.dmod-workspace >
b.root-servers.net.bvcontrol: UDP, length 1000
14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925:
UDP, length 1000
14:00:20.541412 IP 192.168.10.10.cpq-tasksmart >
b.root-servers.net.bnt-manager: UDP, length 1000
14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864:
UDP, length 1000
14:00:20.542941 IP 192.168.10.10.netwatcher-mon >
c.root-servers.net.sbi-agent: UDP, length 1000
14:00:20.544113 IP 192.168.10.10.netwatcher-db >
d.root-servers.net.4467: UDP, length 1000
14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP,
length 1000
14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374:
UDP, length 1000


==

Its sending UDP traffic to the root nameservers ....

Any ideas?
Thanks.


Best,
Tony

---
---------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs
an SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You
will find out how to test, purchase, install and use a thawte
Digital Certificate on your Apache web server. Throughout, best
practices for set-up are highlighted to help you ensure efficient
ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
---
---------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]