Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Doing the KanKan

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 11 Oct 2013 16:43:56 -0600
Looks like it's gone down in usage, but didn't see anything in the 
current rulesets:

alert udp any any -> any 53 (msg:"MALWARE-OTHER Win32.KanKan stat 
server DNS lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 
00|"; depth:10; offset:2; 
content:"|07|kkyouxi|04|stat|06|kankan|03|com"; fast_pattern:only; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
dns, ruleset community; 
reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
classtype:trojan-activity; sid:10000102; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-OTHER Win32.KanKan officeaddinupdate download"; 
flow:to_server,established; content:"|2f|officeaddinupdate.xml"; 
http_uri; fast_pattern:only; content:"Host:|20|update.kklm.n0808.com"; 
http_header; metadata:policy balanced-ips drop, policy security-ips 
drop, service http, ruleset community; 
reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
classtype:trojan-activity; sid:10000103; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-OTHER Win32.KanKan tools.ini download"; 
flow:to_server,established; content:"|2f|tools.ini"; http_uri; 
fast_pattern:only; content:"Host:|20|conf.kklm.n0808.com"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http, ruleset community; 
reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
classtype:trojan-activity; sid:10000104; rev:1;)

 From the link:  "In this case the installer begins by contacting the 
hard-coded domain kkyouxi.stat.kankan.com to report the initiation of 
the installation." which doesn't tell me exactly how, or what URI so I 
DNS'd it instead.  Betting these won't be useful for long, but maybe it 
will help someone.

James

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: