Snort mailing list archives
Re: winhe800 trjoan
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 19 Aug 2011 14:01:56 -0400
Crusty, This is a noisy one, so I put some thresholds in the icmp and udp based rules. alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"BOTNET-CNC Trojan Win32.Yoddos.A outbound indicator"; itype:8; icode:0; content:"YYYYYYYYYYYYYYYYYYYYYYYYYYYY"; threshold:type both, track by_src, count 1, seconds 60; classtype:trojan-activity; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"BOTNET-CNC Trojan Win32.Yoddos.A outbound connection"; dsize:210; content:"|ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea|"; fast_pattern:only; threshold:type both, track by_src, count 1, seconds 60; classtype:trojan-activity; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"BOTNET-CNC Trojan Win32.Yoddos.A outbound connection"; dsize:112; content:"|9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c|"; fast_pattern:only; threshold:type both, track by_src, count 1, seconds 60; classtype:trojan-activity; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 800.sxzyong.com"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|800|07|sxzyong|03|com"; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426; classtype:trojan-activity;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 801.sxzyong.com"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|801|07|sxzyong|03|com"; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426; classtype:trojan-activity;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 802.sxzyong.com"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|802|07|sxzyong|03|com"; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426; classtype:trojan-activity;) We'll try and get these out in the next rule pack. Joel On Aug 19, 2011, at 6:40 AM, Crusty Saint wrote:
Hi, I've just come across a machine which has been repeatedly infected with a more or less recent Trojan recognisable by the winhe800.exe filename. Little information exists and is not 100% consistent. Evidence was deleted by over zealous admin so i cannot simply try and build a custom rule for this. Anyone out there having a resource or rule available for usage ? I've found reference to dropper but no usefull sig in the ruleset(s). Also no usefull result in threatexpert, virustotal or others. No specific rule for winhe800.exe etc. Resources ( only works from webcache ) http://webcache.googleusercontent.com/search?q=cache:HvFwmWx3I2EJ:xml.ssdsandbox.net/view/bf7b927f7e737a49cb46c25a447fa254+winhe800+url&cd=3&hl=nl&ct=clnk&gl=nl&source=www.google.nl http://home.mcafee.com/virusinfo/virusprofile.aspx?key=556848#none http://vil.nai.com/vil/content/v_472810.htm http://download.globalhauri.com/customer/security/virus_view.html?intSeq=2251&page=14&keyfield=&key=&SelectPart= http://www.hauri.co.kr/customer/security/virus_view.html?intSeq=2251&page=12&keyfield=&key=&SelectPart=1 Best Regards, S.C. -- - - - Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- winhe800 trjoan Crusty Saint (Aug 19)
- Re: winhe800 trjoan Joel Esler (Aug 19)
- Re: winhe800 trjoan Joel Esler (Aug 19)