Emerging Threats

  • Increase font size
  • Default font size
  • Decrease font size

Possible new P2P Trojan?

Wednesday, 12 November 2008 11:16 Matt Jonkman
E-mail Print PDF

Update

Looks like this may be legitimate, although very unusual. Note the following:

www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/

 While suspicious, could be legit, so we've moved the below signatures to the POLICY ruleset.

-----------------------

We've just run across in the sandnet a new (possibly) P2P (possibly) trojan. It's similar to storm, not sure exactly what and how, but we've put up sigs for it.

If you get hits on these please let us know. AV so far isn't detecting it, although the sample is over a month old. Quite concerning.

Sigs posted are:

#re 60fa2ff79411dd1cb829e8a966aa86fc
#Unknown so far, no AV coverage, appears to be peer to peer
alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin"; flow:established,to_server; dsize:<30; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 01 00 00|"; distance:1; within:9; threshold:type both, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2008768; rev:2;)
alert tcp $EXTERNAL_NET 3000:8000 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response"; flow:established,from_server; dsize:<100; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 07 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_dst; classtype:trojan-activity; sid:2008769; rev:2;)

#moves to 7090 in samples
alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET CURRENT_EVENTS Unknown Trojan P2P Download Request"; flow:established,to_server; dsize:<100; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 08 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2008771; rev:2;)
alert tcp $EXTERNAL_NET 3000:8000 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Trojan P2P Data Download"; flow:established,from_server; dsize:>1000; content:"|00 00 00|"; depth:5; offset:2; content:"|00 01 01 00 00 05 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_dst; classtype:trojan-activity; sid:2008770; rev:2;)

#moved to 5622 in samples
alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET CURRENT_EVENTS Unknown Trojan P2P Request"; flow:established,to_server; dsize:<60; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 03 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2008772; rev:2;)

PLEASE report any hits!

Matt

Next >
Last Updated ( Tuesday, 18 November 2008 09:00 )  

OISF Founded
The Open Information Security Foundation has been founded. More at http://www.openinfosecfoundation.org