Snort mailing list archives
Doing the KanKan
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 11 Oct 2013 16:43:56 -0600
Looks like it's gone down in usage, but didn't see anything in the current rulesets: alert udp any any -> any 53 (msg:"MALWARE-OTHER Win32.KanKan stat server DNS lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|kkyouxi|04|stat|06|kankan|03|com"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service dns, ruleset community; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; classtype:trojan-activity; sid:10000102; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win32.KanKan officeaddinupdate download"; flow:to_server,established; content:"|2f|officeaddinupdate.xml"; http_uri; fast_pattern:only; content:"Host:|20|update.kklm.n0808.com"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http, ruleset community; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; classtype:trojan-activity; sid:10000103; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win32.KanKan tools.ini download"; flow:to_server,established; content:"|2f|tools.ini"; http_uri; fast_pattern:only; content:"Host:|20|conf.kklm.n0808.com"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http, ruleset community; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; classtype:trojan-activity; sid:10000104; rev:1;) From the link: "In this case the installer begins by contacting the hard-coded domain kkyouxi.stat.kankan.com to report the initiation of the installation." which doesn't tell me exactly how, or what URI so I DNS'd it instead. Betting these won't be useful for long, but maybe it will help someone. James ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Doing the KanKan James Lay (Oct 11)
- Re: Doing the KanKan Joel Esler (Oct 11)