Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: no documentation about some rules

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 29 Aug 2014 12:43:03 +0000
On Aug 29, 2014, at 5:21 AM, Maurizio Di Pietro (Esterna) <m.dipietro () resi it> wrote:


I looking for on virustotal also,  for example the event 23493 (Win.trojan.zeroAccess) but I’d like understand why 
the rule searches the 4 bytes (28,94,8d,ab) from fifth to eighth byte
I didn’t understand the rule. Does the malware contact the C&C by UDP on port 16464 and send these bytes?


Yes.  16464 is just one of the four ports that Zeroaccess communicates with it’s P2P network on:
[16464,16465,16470,16471]




Why?


It’s an XOR’ed “getL” command, the command to update it’s internal P2P list.  The value is static.


What does it work? This is very important to understand if is a false positive


We’ve never seen a false positive from Zeroaccess rules.  If you have a machine in HOME_NET that is exhibiting this 
traffic, you’re infected.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos



------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: