Be on the Lookout: Odd DNS Traffic, Possible C&C Traffic

Published: 2014-04-30
Last Updated: 2014-04-30 01:06:09 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

We got an email from one of our readers, including an interesting port 53 packet. While Wireshark and TCPDump try to decode it as DNS, it is almost certainly not DNS. 

The payload of the packet is (I obfuscated the country the user is located in):

oracle:1c6F65E41DFC:www.kmplayer.com:192.168.1.2:[country of system]:SYSTEM:Windows XP:V139

The user does not have KMPlayer or Oracle installed in his network. This looks very much like some form of command and control traffic. At this point, we do not have any malware associated with it.

Here is how tcpdump decoded the packets (again, anonymized): 

$ tcpdump -r strange-udp.pcapng -nAt
reading from file strange-udp.pcapng, link-type EN10MB (Ethernet)
IP a.b.c.d.20510 > w.x.y.z.53: 28530 updateM+ [b2&3=0x6163] [14897a] [27749q] [25398n] [17974au][|domain]
oracle:1c6F65E41DFC:www.kmplayer.com:192.168.1.2:[country]:SYSTEM:Windows XP:V139.
IP a.b.c.d.11185 > w.x.y.z.53: 28530 updateM+ [b2&3=0x6163] [14896a] [27749q] [12337n] [17988au][|domain]
oracle:001FD0309751:www.kmplayer.com:192.168.1.102:doubleup-xp:SYSTEM:Windows XP:V139

The source was an RFC 1918 address in this case, and the target was close to the user's IP address, which is why both are anonymized here. I also removed the non printable part of the payload to make it fit the screen.

I installed KMPlayer on a virtual system and didn't see any traffic like this. 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: cc dns
7 comment(s)

Comments

We are having odd DNS issues - cannot reach some web sites: salesforce.com and travelocity.com are failing to resolve, and we are getting paged about some of our own domain's external DNS not resolving. Both we are Salesforce are hosted at UltraDNS.

Other users seeing similar issues:
http://www.isitdownrightnow.com/salesforce.com.html#commentstop
After capturing just a couple of minutes, there are several packets to a number of IPs with content similar to those in the original post:

a.b.c.d.51892 > x.y.z.nnn.53: 18245 updateD [b2&3=0x5420] [18516a] [12064q] [21584n] [12081au][|domain]
E..9.1....R..MO".p.....5.%..GET / HTTP/1.1
Host: www

----
JS
That's interesting JS. It looks different from what Dr J had posted. HTTP on port 53 fits into the "suspicious" category. Would you be willing to send in a pcap to us via the contact form?

-KL
Has More of this traffic been seen?

I am seeing traffic similar to JS

Example:
a.b.c.d.39592 > x.y.z.nnn.domain: [no cksum] 18245 updateD [b2&3=0x5420] [18516a] [12064q] [21584n] [12081au][|domain] (ttl 243, id 54321, len 57)
0000: 4500 0039 d431 0000 f311 0350 daf1 62c6 E..9.1.....P..b.
0010: 3f87 72f3 9aa8 0035 0025 0000 4745 5420 ?.r....5.%..GET
0020: 2f20 4854 5450 2f31 2e31 0d0a 486f 7374 / HTTP/1.1..Host
0030: 3a20 7777 770d 0a0d 0a : www....

----
MB
do you have more then one packet of this traffic? I can think of two explanations: Tunneling HTTP over DNS, in which case we should see the full request in subsequent packets, or it is a broken tool that does a DNS lookup on the header vs. just the host name.
I have multiple packets but never more then that one to a single host.
Multiple hosts are receiving this traffic.

--
MB
This traffic is almost certainly from someone using a tool built on Python's scapy module.

Note the updateM+ string in the destination

source
--------------------
from scapy.all import *
a = IP(src="1.1.1.1",dst="2.2.2.2")
u = UDP(dport=514)
pay = "anything goes here is gets mangled"
packet = a/u/pay
packet.display()
send(packet)


destination
--------------------
[user@2.2.2.2 ~]$ sud/usr/sbin/tcpdump port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:27:25.437689 IP 1.1.1.1.domain > 2.2.2.2.syslog: 16757 updateM+ [b2&3=0x6720] [12592a] [12576q] [14896n] [12346au][|domain]

Diary Archives