[Emerging-Sigs] FP in 2007591 (Win32 Agent.ALT C&C Checkin)

Jack Pepper pepperjack at afferentsecurity.com
Fri Feb 29 14:28:35 EST 2008 

Quoting Jonathan Scheidell <jscheidell at secnap.net>:

> As luck would have it I got another FP on this signature just now with a
> local client going to fedex.com
>
> Payload was ³|00 01 00 00 02 02 44 01 00 3B|², which happens to be the same
> payload as the other FP from this morning which occurred in a different
> network and to a different web address... Does anyone recognize this
> particular payload as ³normal web traffic²?

I have found that 2007591 targets the tracking BHO from revenue  
science quite accurately.  Not the original reason for the rule of  
course, but it works.

In each of these cases, the packet is marked by the distinctive  
"Revenue Science" heartbeat acknowledgement packet:
   50 bytes.
   ends in 003b.
   contains the ack flag "0000 0001 0000 0202 4401" at offset byte 39.

I have a whole analysis of the revsci BHO if anyone cares.  It's quite  
clever and well built.   The issue of wether it's malware or not is  
right in there with politics and religion.



For example:
http://www.kctv5.com/index.html.    There are advertisers all over that page.
This is as we would expect, since kctv5 is a TV station, they make  
their living by selling advertising.  They would obviously be a normal  
client for Revenue Science, to make sure they get paid for click  
throughs to their advertising partners.

to examine the installer code and the actual BHOcode you can download  
the obfuscated JS code from:
   http://js.revsci.net/gateway/gw.js?csid=C05503


jp










>
>
>
> On 2/29/08 11:18 AM, "Jonathan Scheidell" <jscheidell at secnap.net> wrote:
>
>> Current content looks for ³|00 01|² but reference refers to content as being
>> ³|00 01 e4 8a 1a|² (for the 10 byte payload).
>> http://doc.emergingthreats.net/bin/view/Main/Win32AgentALT
>>
>> FP we got had content of ³|00 01 00 00 02 02 44 01 00 3B|² with a  
>> payload size
>> of 10 bytes total.
>>
>> Maybe enhance the current SID content match from ³|00 01|², to ³|00 01 e4 8a
>> 1a|², which I think is the payload for the actual virus when it has a 10byte
>> payload.
>>
>> This would also affect the following SIDs:
>> 2007588 (change ³|00 02|² to ³|00 02 5e 3b 5a 86 b9 05|²)
>> 2007589 (change ³|00 03|² to ³|00 03 b9 70 cb 70|²)
>> 2007590 (change ³|00 04|² to ³|00 04 0f 9a|²)
>>
>> Thoughts?
>
>
>
> --
> Jon Scheidell
> Manager Operations and Support
>> |SECNAP Network Security
> Winner, Technosium 2008 Hot Companies Award
> Office: (561) 999-5000 x:1264
> Direct: (561) 939-7264
> www.secnap.com
>
>
>
>
> _________________________________________________________________________
> This email has been scanned and certified safe by SpammerTrap(tm).
> For Information please see http://www.spammertrap.com
> _________________________________________________________________________
>
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com

More information about the Emerging-sigs mailing list