Hello, We currently had an incident with a internal workstation sending traffic to a known botnet (Alarm from our Proxy appliance); I pulled the pcap from our Shark appliance and I am trying to analyze why our web proxy would identify this as botnet traffic. Is there anything suspicious about this communication that stands out that I am possibly missing? to me I see that the machine is making get request with a long string value to a known IP address that is involved with botnet traffic. I am just trying to take this one step further to better understand these types of events going forward.
asked 14 Mar '15, 09:05 cvs278 edited 14 Mar '15, 09:09 |
2 Answers:
Well, the GET request is highly unusual, as it has a high entropy and no readable parts at all. Its most likely an encryption of some kind, which isn't likely to happen for a "normal" web page. Also, the request goes to an IP address, not an FQDN, so there is probably no DNS entry for the ressource that is accessed. This is either a very lazy administrator who doesn't care if anyone uses his web page (very unlikely) or someone who doesn't want to risk registering a DNS domain because it could help identify him. Or he just doesn't care because all the site is doing is receiving botnet traffic, so he doesn't have to register it - the botnet clients know the IP address. On the positive side: IPvoid doesn't blacklist the IP address, and says it's a server in the serverloft.com range: loft7301.serverloft.com. Calling up that server opens a nondescript search form, so there's no way of telling what it is used for. So, in the end it's hard to say, but the page itself doesn't look that bad. I was too lazy to try and see what your GET request would do, because I don't want to type in all the characters. Also, it should only be done from a system that you can discard afterwards, in case it gets infected (e.g. do it from a VM that you can reset to a snapshot). answered 15 Mar '15, 09:17 Jasper ♦♦ |
I did a brief search and found others seeing the same kind of traffic to that server. The response to the following request is "scrambled/encrypted" as well. Response:
Looks like a covert communication channel, beeing used for whatever. Could be malware or some sort of tunneling proxy. BTW: If you change a single char of the request, you'll get a 404! Does not look "normal" to me ;-) Regards answered 19 Mar '15, 14:48 Kurt Knochner ♦ edited 19 Mar '15, 14:51 |