Monday, 8 March 2010

HP is the virus!

I have been seeing what I thought was a botnet virus on my network trying to talk to it's command and control server via constant UDP to everyone on port 34447! I had two laptop clients doing it and their owners where none the wiser. I reported this to HP's internal security teams to see if it was known to them and for them to get solving. One just stopped with no info from it's owner and the other was eventually rebuilt. Now I look at the users machine I note it runs a print server! A HP wireless print server! I smell the potential FAIL as most these products are made in India and Eastern Europe like their drivers, so I disable it. Bingo no more UDP broadcasts!

This is what the client running the print server sends:

438.407640 x.x.x.x -> UDP Source port: 49906 Destination port: 34447

The source port moves but is sometimes reused the rest is static.

No comments: