|
Found an interesting bit of malware. It's well detected by AV, but we had not sigs for it. (Virustotal results available in full article post)
The sigs posted should be quite reliable. They can be found here: http://doc.emergingthreats.net/2007751 http://doc.emergingthreats.net/2007752 http://doc.emergingthreats.net/2007753 The network activity is quite unique. First it makes an outbound connection to a controller on port 80 with just: GET /404.txt HTTP/1.0 Host: xx.xx.xx.xx Then the response is: HTTP/1.0 200 OK
Encryption: on
Content-Length: 43
..z... R....@..(..8p...x.@@@..Q..sI*.c{.Z.. Quite unique. Then it opens a C&C on port 443, but it's not ssl. Not sure what it is, but found a few unique bits to make sigs for. Will research more into this one. As always, please report any new info or false positives.
Virustotal.com shows us this: | AntiVir | TR/Proxy.Saturn.M | | Avast | Win32:Saturn-D | | AVG | Proxy.WQY | | BitDefender | Trojan.Proxy.Saturn.M | | CAT-QuickHeal | TrojanProxy.Saturn.m | | ClamAV | Trojan.Proxy-1561 | | DrWeb | Trojan.Ascesso | | eSafe | Win32.Saturn.m | | Ewido | Proxy.Saturn.m | | F-Prot | W32/Saturn.A | | F-Secure | Trojan-Proxy.Win32.Saturn.m | | Ikarus | Trojan-Proxy.Win32.Saturn.m | | Kaspersky | Trojan-Proxy.Win32.Saturn.m | | Microsoft | Backdoor:Win32/Tofsee.D | | NOD32v2 | Win32/Nulprot | | Panda | Trj/WinOpts.BB | | Sophos | Mal/Generic-A | | Sunbelt | Trojan-Proxy.Win32.Saturn.c | | Symantec | Trojan.Ascesso | | TheHacker | Trojan/Proxy.Saturn.m | | VBA32 | Trojan-Proxy.Win32.Saturn.m | | VirusBuster | Trojan.PR.Saturn.F | | Webwasher-Gateway | Trojan.Proxy.Saturn.M |
|
