Re: Stormy P2P bot Sigs -- may be SKYPE ?

Matt Jonkman wrote:
> Russell Fulton wrote:
>   
>> Hmmmm... My edonkey alerts have gone crazy recently.  I know that at
>> least some of the machines (the ones I checked ) are not doing any p2p
>> file sharing, nor is there any signs of infection or compromise.  All 3
>> however were running Skype.   Is it possible that changes have been made
>> to the skype protocol which results in a lot of packets with 0XE3 at the
>> start?
>>     
>
> Looked into some basic skype pcaps and they shouldn't be triggering the
> edonkey sigs. Could skype be using edonkey to pull updates or something?
>
> Could you turn off skype on a few of those and see if the hits persist?
>   

We don't have direct control of the machines and skype is perfectly
legal on our network.  I'll examine my argus logs and see if I can get
something I that I can positively identify as SKYPE.  There are a few
IPs that they contact at the start of a session IIRC.

Russell