[Emerging-Sigs] UPS_Lieferschein.exe (Obitel) -> fixaserver.ru
Matt Jonkman
jonkman at jonkmans.com
Mon Jul 14 10:02:26 EDT 2008
Very nice sig. I think that's reliable enough to go straight into the
main trojan ruleset.
Good catch Philipp!
matt
Philipp Bescht wrote:
> Hi,
>
> recent spam mails, targeting german-speaking people mostly, are offering
> a malicious binary which - upon successful infection - makes the
> following (first) http request:
>
> GET /ldr/gate.php?hash=68acd724
> User-Agent: ie
> Host: fixaserver.ru
>
> The User-Agent string is detected by sid 2007827.
> In response to the above request, the infected host is redirected to
> aetopoulos.de, downloading the files 1.exe and 2.exe.
> If necessary, i propose the following signature for a more specific
> detection of the initial request:
>
> #ref: 6b4ef50e3e21205685cea919ebf93476
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"ET CURRENT_EVENTS Obitel trojan calling home";
> flow:established,to_server; uricontent:"/gate.php?hash="; nocase;
> content:"|0d 0a|User-Agent\: ie|0d 0a|";
> reference:url,www.abuse.ch/?p=143; classtype:trojan-activity;
> sid:2008402; rev:1;)
>
> For a more significant msg-value, here are the namings by AV vendors:
> http://www.virustotal.com/de/analisis/494735a1eabb06fb728aaa3481740eaa
> On http://www.abuse.ch/?p=143 this is called 'wsnpoem'.
>
> Regards,
> Philipp
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list