A Packet a Day
Not traveling this week, I got a bit extra time and decided to put up a couple "packet challenges". If you are following me on twitter, you may have already seen them. If not... here they are:
First one (with solution): http://johannes.homepc.org/packet1.txt
The second one (posted yesterday): http://johannes.homepc.org/packet.txt (I think I only got one decent answer for it so far, so I will keep it up a bit longer...)
A third one will be posted later today. And BTW... got packets? We always like good and interesting packets.
update: just made the new challenge live. again at http://johannes.homepc.org/packet.txt
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Keywords: packets
2 comment(s)
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
×
Diary Archives
Comments
It has 0010 hex as the DNS Flags
flags: 0010
Query / Response flag: 0 - it's a query
Opcode: 0 - standard query (4 bits)
Authoritative answer: no... its a query
Truncation flag: no... its a query
Recursion Desired: yes!
Zero: 3 bits.. always zero
Response Code: 0 ... no error
The above write up of the flags indicates that flags should be 0100.
They have bit five set which should always be a zero.
They have Recursion desired: yes This would be bit nine, not bit five.
r\
RogueET
Sep 16th 2010
1 decade ago
FileName: mail.exe
size: 28864
md5 (05e3c1f54e95f13921e9dd0ace5a2a4e)
This appears to be MyDoom malware UPX packet being spread/sent via email.
The Snort signature triggered incorrectly in this case because it triggered on the BASE64 string AAAAAAAAAA not an actual OP inc ecx NOOP call.
Quick analysis:
Creates reg entry under ​HKU\...\Microsoft\Daemon
Creates the following files:
C:\DOCUME~1\unbreakable~1\LOCALS~1\Temp\zincite.log
C:\WINDOWS\java.exe
C:\WINDOWS\services.exe
Creates a services.exe thread
Tries to connect out to 16.51.193.226
Tries to connect out to 123.237.130.119
RSC
Sep 18th 2010
1 decade ago