Information Security News
We got an email from one of our readers, including an interesting port 53 packet. While Wireshark and TCPDump try to decode it as DNS, it is almost certainly not DNS.
The payload of the packet is (I obfuscated the country the user is located in):
oracle:1c6F65E41DFC:www.kmplayer.com:192.168.1.2:[country of system]:SYSTEM:Windows XP:V139
The user does not have KMPlayer or Oracle installed in his network. This looks very much like some form of command and control traffic. At this point, we do not have any malware associated with it.
Here is how tcpdump decoded the packets (again, anonymized):
$ tcpdump -r strange-udp.pcapng -nAt
reading from file strange-udp.pcapng, link-type EN10MB (Ethernet)
IP a.b.c.d.20510 > w.x.y.z.53: 28530 updateM+ [b2&3=0x6163] [14897a] [27749q] [25398n] [17974au][|domain]
IP a.b.c.d.11185 > w.x.y.z.53: 28530 updateM+ [b2&3=0x6163] [14896a] [27749q] [12337n] [17988au][|domain]
The source was an RFC 1918 address in this case, and the target was close to the user's IP address, which is why both are anonymized here. I also removed the non printable part of the payload to make it fit the screen.
I installed KMPlayer on a virtual system and didn't see any traffic like this.
Update: A few hours after this article went live, Google engineer Adam Langley published a blog post taking issue with the GRC characterization that Chrome's CRLSet is "completely broken." In the post, Langley said he has always been clear that the measure isn't perfect, but in any event, it's more effective than the revocation checks on by default in other browsers. "And yet, GRC managed to write pages (including cartoons!) exposing the fact that it doesn't cover many revocations and attacking Chrome for it." In fairness to Google a test performed after this article was published showed Chrome blacklisted the TLS certificate Ars revoked three weeks ago. The text of the article as it originally ran follows:
The ability of Google Chrome to block secure website connections compromised by the Heartbleed bug is "completely broken" because the browser by default detects less than three percent of the underlying digital certificates that have been revoked, according to a detailed analysis recently posted online.
The charge was leveled against CRLSet, a regularly updated list in Chrome that catalogs website encryption certificates that have been revoked recently. Last week, noted cryptography engineer and Google employee Adam Langley promoted CRLSet as an improvement over the online certificate status protocol turned on by default in most other browsers. Langley blasted OCSP as "useless" because he said it was trivial to bypass and threatened to harm the performance and stability of the overall Internet.
Infosec 2014: UK data breaches slightly down but cost way up, report shows
The number of UK data breaches and victims has gone down in the past year, but the cost of the most serious incidents has risen significantly, a government-sponsored report shows. The average cost of the worst breach for large organisations is £600,000 ...
Infosec 2014: Cyber safety will take joint effort, says top EU cyber cop
Cyber safety can be achieved only through the joint efforts of all stakeholders, not just law enforcement, says Troels Oerting, head of Europol's European Cybercrime Centre (EC3). “We will win, a safe and secure internet will prevail, but it will be a ...
Cuffing darknet-dwelling cyberscum is tricky. We'll 'disrupt' crims instead ...
Infosecurity Europe 2014 > Security Can Be A Business Enabler
EC3: Darknet & cloud the barriers to prosecuting cyber-criminals
Infosec 2014: Firms moving to cloud despite security fears, study shows
Businesses are moving sensitive or confidential data into public cloud services, despite security fears, an independent global study has revealed. Almost a third of companies doing so expect a negative impact on security posture, according to the ...
Posted by InfoSec News on Apr 29http://mashable.com/2014/04/28/homeland-security-internet-explorer/
Posted by InfoSec News on Apr 29http://www.foreignpolicy.com/articles/2014/04/28/exclusive_meet_the_secret_fed_cyber_security_unit_keeping_trillions_of_dollars_s
Posted by InfoSec News on Apr 29http://leadership.ng/news/368843/cyber-security-nigeria-needs-computer-emergency-response-team
Posted by InfoSec News on Apr 29http://www.darkreading.com/vulnerabilities---threats/microsoft-warns-of-zero-day-vulnerability-in-internet-explorer/d/d-id/1234907
Posted by InfoSec News on Apr 29http://blogs.wsj.com/digits/2014/04/28/europe-begins-its-largest-ever-cyberwar-stress-test/