Snort mailing list archives
ZeroAccess Supernode
From: Andre DiMino <adimino () sempersecurus org>
Date: Fri, 30 May 2014 11:59:31 -0400
$dayjob has been receiving reports that a few of our hosts are acting as ZeroAccess 'supernodes'. Since we have a bunch of ZeroAccess rules enabled, I was wondering why I didn't see them fire. It seems that rule sid:23493; rev:5 will fire on outbound traffic particular to this ZeroAccess incident, however it won't fire on the inbound traffic. alert udp $HOME_NET any -> $EXTERNAL_NET [16464,16465,16470,16471] (msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound communication"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url, www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23493; rev:5; ) So I tweaked the rule as follows to allow for the alerting on inbound ZeroAccess: alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471] (msg:"ZeroAccess Supernode Inbound Traffic"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity;) I need to tweak thresholding a bit, but overall it has been working well in my limited tests. Any thoughts or comments? -- Andre' M. DiMino DeepEnd Research http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- ZeroAccess Supernode Andre DiMino (May 30)
- Re: ZeroAccess Supernode Carlos Pacho (Jun 02)
- Re: ZeroAccess Supernode Andre DiMino (Jun 02)
- Re: ZeroAccess Supernode Andre DiMino (Jun 05)
- Re: ZeroAccess Supernode Joel Esler (jesler) (Jun 05)
- Re: ZeroAccess Supernode Carlos Pacho (Jun 02)