SSDP Distributed Reflection Denial of Service attacks are on the rise and may be the biggest threat right now. SSDP attacks do not have the biggest amplification number but they may have the most vulnerable systems to abuse in a reflection attack. Open source reports indicate that there are over 5 million vulnerable systems … Read more SSDP Distributed Reflection Denial of Service (DrDoS) Attacks may be biggest threat – Traffic Sample & Snort Rule
Be careful, it might not all be malware, adware, PUPs and innocuous traffic is in play. Download PCAP : netstream VM executables used will be included in the next post. 2016-08-25 20:40:37.831293 IP 192.168.1.102.51776 > 220.127.116.11.80: Flags [P.], seq 0:267, ack 1, win 256, length 267: HTTP: GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1 E..3?…..~^…f%….@.P.._.p?..P…^…GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1 Content-Type: application/x-www-form-urlencoded … Read more Malware PCAP Traffic Analysis – Can you name the different types of malware?
Two key indicators: FakeAV POST – POST /hrrgkkwhjdwwwww/order.php?pid=390 (attempting to setup a payment for the FakeAV with the pid linking to the current session) Trojan Downloader function – GET /week.exe HTTP/1.1 2015-08-27 11:39:35.045855 ARP, Request who-has 192.168.56.1 tell 192.168.56.10, length 28 …….. .’*….8 ……..8. 2015-08-27 11:39:35.046218 ARP, Reply 192.168.56.1 is-at 0a:00:27:00:00:00, length 46 …….. .’…..8. … Read more Traffic Sample PCAP of FakeAV Malware and Kazy Trojan Downloader