[Emerging-Sigs] 195.93.218.57 (fullspace.cc)

Matt Jonkman jonkman at jonkmans.com
Thu Jul 10 10:21:29 EDT 2008 

Those are good. I think it's useful to get specific on these past the 
user-agent. Helps ID the specific malware.

Thanks philipp! Posting now.

Matt

Philipp Bescht wrote:
> Hi,
> 
> Requests to this host are hitting sids 2006387 2003585 (Suspicious
> User-Agent) already, because:
> User-Agent: Windows Updates Manager|3.19|5|1|2600|2|
> 
> The Request URIs look like this:
> 
> /config.php?ver=3&uid=4y56Htkqh41mak2&action=newuser&ras=0&verfull=3.19
> /register.php?id=xDPnKtBWAWFdGKa&port=10639&connect=network&ver=19&intip=192.168.1.244&bid=4y56Htkqh41mak2
> /cgi-bin/register.cgi?id=xDPnKtBWAWFdGKa&port=10639&connect=network&ver=19&country=DE&intip=192.168.1.244
> 
> Those are the only references i have (from one infection), but a google
> search revealed that this host is already known to emergingthreats
> (sandnet):
> http://www.malwaredomains.com/updates/200804
> Updates/domains.20080401.txt
> 
> So far i have the following signatures, not knowing much about the
> parameters/values:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"fullspace.cc
> checkin (1)"; flow:established,to_server;
> uricontent:"/config.php?ver="; nocase; uricontent:"&uid="; nocase;
> uricontent:"&action="; nocase; uricontent:"&ras="; nocase;
> uricontent:"&verfull="; nocase; classtype:trojan-activity; sid:2009960;
> rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"fullspace.cc checkin (2)"; flow:established,to_server;
> uricontent:"/register."; nocase; uricontent:"?id="; nocase;
> uricontent:"&port="; nocase; uricontent:"&connect="; nocase;
> uricontent:"&ver="; nocase; uricontent:"ip="; nocase;
> classtype:trojan-activity; sid:2009961; rev:1;)
> 
> Is it ok to check for this specifically, or is it enough that the
> user-agent triggers a rule already?
> Are these signatures too weak (especially the second)?
> Does anyone know more about the parameters and values (ie Has $connect
> always the value 'network'? If there is $intip, does $extip also exist?
> etc)?
> 
> Regards,
> Philipp
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list