Re: Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset)

[nicenate () verizon net]

 Reply by Nathan to both Jeff and Joel:

Joel, thanks so much for sharing VRT information, as "you all" are the best source for these things.  Much appreciated, 
both the work on the rule sets, taking the time to share publicly information, and most specially in this time of 
transition for this once Sourcefire group continuing your public presence.  THANKS!!  

Be a user of snort and VRT for over a decade and visited a few of the Sourcefire presentations at the SANS.  Was glad 
you all did not go to Israel; but for now ... not so sure....  

Certainly hope that the work with Cisco proves valuable, useful and also specially that the work with snort and the 
excellent VRT rule sets is able to continue to "everyone's" mutual ... success!!!

About this issue:  This rule alert firing and we can not figure out the what, why, etc.

Joel:  If I understand your comment correctly this rule is considered "still current" and also that your group believes 
this is at least often if not always the result of 'malware communications' because of current sandbox activity, 
correct?  

I can attest, that we are seeing this rule firing on a few new machines, ... often.   

Reason we thought this was a "new rule" or at least just re-inserted into the 9/24 rule set:  We have not noticed this 
rule firing over the last several months, and rule set comments stated this was a "new rule".  We are running the Onion 
on a few parts of our LAN.  Because we do not keep a record of the old rule sets going back more that two version, and 
since we see this rule firing now, and we had not see these alerts before we felt this was perhaps a re-worked "old 
rule" just re-inserted into the rule set..

We have not seen on the I any new information about what is causing the RST ACKs with this unusual and unique "reset 
cause" phrase.  No attempt to hide here....

Can you share what this communication may be the result of?

Is it still thought of as part of the 'old' Storm P2P communications which "is still active"?

Part of a newer P2P bot net?

Or is this part of newer bot/trojan codes?

I am part of a small enterprise security team and you most certainly can email me directly if privacy issues might be 
served.  So far AV type scans from multiple products are not revealing much for the machines which have had this 
activity.

Most sincerely  appreciate everyone's assistance.

Nathan

On 10/07/13, Joel Esler wrote:

Actually, no. This rule came out of our sandbox running binaries. 

Sent from my iPhone

> On Oct 6, 2013, at 11:41 PM, Jeff Kell <jeff-kell () utc edu> wrote:
>
> > On 10/6/2013 11:37 PM, Joel Esler wrote:
> > On Oct 4, 2013, at 11:37 PM, nicenate () verizon net wrote:
> >
> > In the case of this rule we just have not seen any current discussion for this rule. We are asking here if anyone 
> > knows more about why this rule has been placed back into the VRT snort rule set.
> > Thank you for asking. This wasn't "placed back" into the ruleset, it seems as if we didn't cover this particular 
> > piece of the traffic to begin with, so while the references are from 2008, it's still a relevant rule.
>
> Got to cover those test suites :) Useless otherwise, but makes the test
> suite results look better :)
>
> Jeff

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!