topleft topright

Main Menu

Home
Rules
Links
Mailing Lists
Search
Blog
FAQs
Contact Us
Documentation Wiki
CVS Web

My Account

Account






Lost Password?
No account yet? Register

Feeds

 
Turkish Language C&C Channel
Written by Matt Jonkman   
Wednesday, 19 March 2008

http://doc.emergingthreats.net/bin/view/Main/Win32Turkojan

 

Win32.Turkojan.jv came across our sights today. Found by Victor Julien, this is the first Turkish language C&C channel we've seen in a long time. (Don't recall the last one...)

 

High ports, plaintext channel using simple commands and responses. Sigs 2008021-2008030 will cover this well. More information at the link above, including text of a control session.

 

Matt 
Last Updated ( Wednesday, 19 March 2008 )
 
Philis.J ICMP Uniqueness
Written by Matt Jonkman   
Tuesday, 18 March 2008

Bit of a funny one today. Win32.Philis is a regular old worm/trojan.

 

http://vil.nai.com/vil/content/v_141203.htm 

 

We caught a Win32.Philis.J and it does local probing to spread. I uses an ICMP request with the payload "Hello, World". Rather unique of course. Sig 2008017 is out there to catch it. You'll notive it's any to any. That's because the pinging will mostly be local to loca, but it'll be interesting to see if any of these come in at you from the outside. 

 

Thought this an intereseting one worth noting here. Some days it's nice to see the bad guys giving us an easy one. If you're listening, thanks!

 

Matt 

 

 
Last Updated ( Tuesday, 18 March 2008 )
 
Unknown C&C Sigs
Written by Matt Jonkman   
Monday, 17 March 2008

Have an interesting one. No specific detection by AV yet, and it's been in my queue for a week now.

 

C&C I caught was on port 2000 tcp. Haven't totally decoded it, but there are definite patterns to the checkin and keepalive activity. There's a very large encoded data upload, several megabytes, after the initial checkin. Then just keepalive.

 

Sample MD5 is 41c62970ea34413c4011b220724bf029. Happy to share with anyone that wants to try to reverse it.

 

These sigs are listed as unknown in current events for now. Will put them in a more appropriate place with an appropriate name once it has one, or we identify what it really is. 

 

(Note: Get the most current version of these sigs from the wiki: 2008006 , 2008007 , 2008008 , 2008009 , and 2008010 )


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1"; flowbits:isnotset,ET.unk.1; flow:established,to_server; dsize:<200; content:"|8e 00 d0 00|"; depth:4; flowbits:set,ET.unk.1; flowbits:noalert; classtype:trojan-activity; sid:2008006; rev:2;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1 reply"; flowbits:isset,ET.unk.1; flow:established,from_server; dsize:<10; content:"|05 00 00 00|"; depth:4; flowbits:set,ET.unk.2; classtype:trojan-activity; sid:2008007; rev:1;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Trojan CnC Channel Checkin Replies"; flowbits:isset,ET.unk.2; flow:established,to_server; dsize:<20; content:"|09 00 00 00|"; depth:4; classtype:trojan-activity; sid:2008008; rev:1;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Pong"; flow:established,to_server; dsize:<40; content:"|20 00 00 00 f8 4d b2 77|"; depth:8; classtype:trojan-activity; sid:2008009; rev:1;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Ping"; flow:established,to_server; dsize:<25; content:"|12 00 00 00|"; depth:4; classtype:trojan-activity; sid:2008010; rev:1;)

 

 

Please reports hits or info to This e-mail address is being protected from spam bots, you need JavaScript enabled to view it !

 

Matt 
Last Updated ( Monday, 17 March 2008 )
 
More...
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>

Results 17 - 20 of 48
Joomla Templates by JoomlaShack Joomla Templates