[nsp-sec] Proxy/"VPN" malware - tcp/3000 - BackConnect
Lawrence Baldwin
baldwinl at mynetwatchman.com
Wed Jan 30 10:00:49 EST 2008
Anybody seen anything like this, traffic on tcp/3000, payloads look like
this;
0xC0XX....
0xC4XX.....
0xC8XX....
0xD8XX....
0xDCXX....
XX = full payload length...varies.
First byte appears to be some kind of command code, haven't seen anything
but the above five...yet.
For example:
0xC4 11 5d 20 09 8b 36 c8 a2 6b fd 2c ee oe 01 d6 5b
Malware calls itself 'BackConnect'.
Regards,
Lawrence.
More information about the nsp-security
mailing list