|
Written by Matt Jonkman
|
|
Wednesday, 05 March 2008 |
http://doc.emergingthreats.net/bin/view/Main/TrojanDropper497
Interesting one. Has an html-like tag language to push stats and info about the system, and a keep alive status stream.
Haven't totally reversed it, but signatures are up that'll be reliable. 2007918-2007920
Calling it Yumato since it uses that name in it's server status messages. Clam calls is Dropper-497.
Matt |
|
|
Written by Matt Jonkman
|
|
Wednesday, 05 March 2008 |
|
Two new rules out for Storm. We have new samples that are mutating every time they execute. Where we had one encryption/obfuscation key for the last couple months, we now appear to have a new one for every execution. UPDATE: Doesn't appear to be a new key. The old sigs which had worked for about 3 months were looking at the first 4 bytes, which includes part of the peer id hash. For some reason that held static but is no longer. The existing encrypted storm sigs have been adjusted and should be more accurate. Please report any issues: http://doc.emergingthreats.net/2007701 http://doc.emergingthreats.net/2007702
Matt
|
|
Last Updated ( Wednesday, 05 March 2008 )
|
|
|
Written by Matt Jonkman
|
|
Wednesday, 20 February 2008 |
|
Caught an interesting Delf variant pushing keylogs up via ftp with a predictable filename. STOR MACHINENAME Keylogger [12_54 AM].txt That's easy enough to follow: alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Delf Keylog FTP Upload"; flow:established,to_server; content:"STOR "; depth:5; content:" Keylogger ["; nocase; distance:5; within:50; content:"].txt|0d 0a|"; nocase; distance:5; within:40; classtype:trojan-activity; sid:2007858; rev:1;) Please report issues with it! Matt |
|
Last Updated ( Wednesday, 20 February 2008 )
|
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
|
| Results 21 - 24 of 48 |
