Thursday, December 14, 2006

UDP Port 25099 : Large BotNet !

Recently I was monitoring my networking traffic and noticed a lot of incoming connections from around the world on UDP port 25099. I asked the search engines about UDP port 25099 and found nothing.

Update : (3/7/2007) At some point since this post all traffic on UDP port 25099 has stopped. I imagine the botnet updated its client list and removed me from it since my computer is no longer responding to its commands.

After a bit of investigation I've come to the following conclusion.

Last week my anti-virus program picked up on a trojan and removed it. However this trojan had been in place for a while since it was stored in some backup files. It would have been found sooner but my normal anti-virus program (AVG) didn't detect it.

That trojan made me part of a bot network which uses UDP port 25099 to communicate. The other bots have no idea I've removed the trojan and continue to try and communicate with me.

Judging by the packet data right now the botnet is just trying to stay synced, I can see commands in their packets like get_peers, find_node, announce_peer.

The traffic load is fairly impressive - I would average about 1 request per second from computers around the world who are apart of this botnet.

So if you see a lot of traffic coming in on UDP port 25099 run a comprehensive virus / trojan scan on your system to make sure you're not infected.

Note : You can use Ethereal to monitor your traffic.

1 comment:

TerminalInsanity said...

I belive this is BitTorrent traffic. More specificaly, it may be DHT (Dynamic Hash Tables)

The commands you listed are part of the DHT protocol.

The Draft DHT Protocol