topleft topright

Main Menu

Home
Rules
Links
Mailing Lists
Search
Blog
FAQs
Contact Us
Documentation Wiki
CVS Web

My Account

Account






Lost Password?
No account yet? Register

Feeds

 
Unknown C&C Sigs PDF Print E-mail
Written by Matt Jonkman   
Monday, 17 March 2008

Have an interesting one. No specific detection by AV yet, and it's been in my queue for a week now.

 

C&C I caught was on port 2000 tcp. Haven't totally decoded it, but there are definite patterns to the checkin and keepalive activity. There's a very large encoded data upload, several megabytes, after the initial checkin. Then just keepalive.

 

Sample MD5 is 41c62970ea34413c4011b220724bf029. Happy to share with anyone that wants to try to reverse it.

 

These sigs are listed as unknown in current events for now. Will put them in a more appropriate place with an appropriate name once it has one, or we identify what it really is. 

 

(Note: Get the most current version of these sigs from the wiki: 2008006 , 2008007 , 2008008 , 2008009 , and 2008010 )


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1"; flowbits:isnotset,ET.unk.1; flow:established,to_server; dsize:<200; content:"|8e 00 d0 00|"; depth:4; flowbits:set,ET.unk.1; flowbits:noalert; classtype:trojan-activity; sid:2008006; rev:2;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1 reply"; flowbits:isset,ET.unk.1; flow:established,from_server; dsize:<10; content:"|05 00 00 00|"; depth:4; flowbits:set,ET.unk.2; classtype:trojan-activity; sid:2008007; rev:1;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Trojan CnC Channel Checkin Replies"; flowbits:isset,ET.unk.2; flow:established,to_server; dsize:<20; content:"|09 00 00 00|"; depth:4; classtype:trojan-activity; sid:2008008; rev:1;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Pong"; flow:established,to_server; dsize:<40; content:"|20 00 00 00 f8 4d b2 77|"; depth:8; classtype:trojan-activity; sid:2008009; rev:1;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Ping"; flow:established,to_server; dsize:<25; content:"|12 00 00 00|"; depth:4; classtype:trojan-activity; sid:2008010; rev:1;)

 

 

Please reports hits or info to This e-mail address is being protected from spam bots, you need JavaScript enabled to view it !

 

Matt 
Last Updated ( Monday, 17 March 2008 )
 
< Prev   Next >
[ Back ]
Joomla Templates by JoomlaShack Joomla Templates