Snort mailing list archives
Re: Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset)
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 7 Oct 2013 14:53:29 -0400
On Oct 7, 2013, at 9:19 AM, nicenate () verizon net wrote:
Reply by Nathan to both Jeff and Joel: Joel, thanks so much for sharing VRT information, as "you all" are the best source for these things. Much appreciated, both the work on the rule sets, taking the time to share publicly information, and most specially in this time of transition for this once Sourcefire group continuing your public presence. THANKS!!
Thank you.
Be a user of snort and VRT for over a decade and visited a few of the Sourcefire presentations at the SANS. Was glad you all did not go to Israel; but for now ... not so sure.... Certainly hope that the work with Cisco proves valuable, useful and also specially that the work with snort and the excellent VRT rule sets is able to continue to "everyone's" mutual ... success!!!
More information will be coming very soon. We are excited about the future and the things that are going to come out of the acquisition. As I said, more information will be coming very soon.
About this issue: This rule alert firing and we can not figure out the what, why, etc. Joel: If I understand your comment correctly this rule is considered "still current" and also that your group believes this is at least often if not always the result of 'malware communications' because of current sandbox activity, correct?
Correct. A piece of malware, specifically this one: https://www.virustotal.com/en/file/D80754043A7A5C10D1B425403BAFCBDFCB014112F638635F4D3036444FFBB3A5/analysis/ Came through our sandbox and exhibited these characteristics. We did not have coverage for this vector, so coverage was provided. So, yes, it’s a new rule.
<snip>
We have not seen on the I any new information about what is causing the RST ACKs with this unusual and unique "reset cause" phrase. No attempt to hide here.... Can you share what this communication may be the result of?
See above.
Is it still thought of as part of the 'old' Storm P2P communications which "is still active"? Part of a newer P2P bot net? Or is this part of newer bot/trojan codes?
Investigation is always ongoing! -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset) Mathewson, Nathan (Oct 04)
- Re: Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset) James Lay (Oct 04)
- <Possible follow-ups>
- Re: Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset) nicenate (Oct 07)
- Re: Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset) Joel Esler (Oct 07)