Re: winhe800 trjoan

[Joel Esler <jesler () sourcefire com>]

Crusty,

This is a noisy one, so I put some thresholds in the icmp and udp based rules.

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"BOTNET-CNC Trojan Win32.Yoddos.A outbound indicator"; itype:8; 
icode:0; content:"YYYYYYYYYYYYYYYYYYYYYYYYYYYY"; threshold:type both, track by_src, count 1, seconds 60; 
classtype:trojan-activity; 
reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"BOTNET-CNC Trojan Win32.Yoddos.A outbound connection"; dsize:210; 
content:"|ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea|"; fast_pattern:only; threshold:type both, track 
by_src, count 1, seconds 60; classtype:trojan-activity; 
reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"BOTNET-CNC Trojan Win32.Yoddos.A outbound connection"; dsize:112; 
content:"|9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c|"; fast_pattern:only; threshold:type both, track 
by_src, count 1, seconds 60; classtype:trojan-activity; 
reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 800.sxzyong.com"; 
flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; 
content:"|03|800|07|sxzyong|03|com"; metadata:impact_flag red, service dns; 
reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426;
 classtype:trojan-activity;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 801.sxzyong.com"; 
flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; 
content:"|03|801|07|sxzyong|03|com"; metadata:impact_flag red, service dns; 
reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426;
 classtype:trojan-activity;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 802.sxzyong.com"; 
flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; 
content:"|03|802|07|sxzyong|03|com"; metadata:impact_flag red, service dns; 
reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426;
 classtype:trojan-activity;)

We'll try and get these out in the next rule pack.

Joel


On Aug 19, 2011, at 6:40 AM, Crusty Saint wrote:

> Hi,
>
> I've just come across a machine which has been repeatedly infected with a more or less recent Trojan recognisable by 
> the winhe800.exe filename.
>
> Little information exists and is not 100% consistent. Evidence was deleted by over zealous admin so i cannot simply 
> try and build a custom rule for this.
>
> Anyone out there having a resource or rule available for usage ? I've found reference to dropper but no usefull sig 
> in the ruleset(s). Also no usefull result in threatexpert, virustotal or others.
>
> No specific rule for winhe800.exe etc.
>
> Resources 
>
> ( only works from webcache )  
> http://webcache.googleusercontent.com/search?q=cache:HvFwmWx3I2EJ:xml.ssdsandbox.net/view/bf7b927f7e737a49cb46c25a447fa254+winhe800+url&cd=3&hl=nl&ct=clnk&gl=nl&source=www.google.nl
>
> http://home.mcafee.com/virusinfo/virusprofile.aspx?key=556848#none
> http://vil.nai.com/vil/content/v_472810.htm
>
> http://download.globalhauri.com/customer/security/virus_view.html?intSeq=2251&page=14&keyfield=&key=&SelectPart=
> http://www.hauri.co.kr/customer/security/virus_view.html?intSeq=2251&page=12&keyfield=&key=&SelectPart=1
>
>
> Best Regards,
>
> S.C.
>
> -- 
> - - -
> Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I 
> deserve a rant, write me off-list
>
> ------------------------------------------------------------------------------
> Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
> user administration capabilities and model configuration. Take 
> the hassle out of deploying and managing Subversion and the 
> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!