[Emerging-Sigs] 17PHolmes.cmt
Darren Spruell
phatbuckett at gmail.com
Wed Jul 30 19:09:02 EDT 2008
On Wed, Jul 9, 2008 at 12:45 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>
> Philipp Bescht wrote:
>> now i can think of two variants to check for this and would like to know
>> your opinion on what is best:
>>
>> alert tcp $HOME_NET any -> 206.251.244.226 $HTTP_PORTS
>> (msg:"Trojan-Downloader.Win32.Homles.br download";
>> flow:established,to_server; uricontent:"/17PHolmes.cmt";
>> classtype:trojan-activity; sid:2009962; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"Trojan-Downloader.Win32.Homles.br download";
>> flow:established,to_server; uricontent:"/17PHolmes.cmt"; content:"|0d
>> 0a|Host\: "; within: 15; content:"wrs.mcboo.com|0d 0a|"; nocase;
>> classtype:trojan-activity; sid:2009962; rev:1;)
>>
>> what would you prefer? or is there even a better way?
>
> I think the first is better. But considering the amount of crap we see
> from mcboo.com it might be worth just a sig for ANYTHING mcboo.com :)
>
> But I'll post the first version in case other domains are in use. Will
> put it into current events.
Thanks for the sigs. :) We've seen a few instances lately. Aside from
the initial download, we've got what appears to be downloader and or
checkins to a couple of scripts:
# ack.php, only observed once
b152.mcboo.com HTTP/1.1 2414 328 GET
Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Windows%20NT%205.1;%20SV1;%20InfoPath.1)
http://b152.mcboo.com/ack.php?uid=C86D546F-0724-1033-1218-061806002c&version=16&actionname=_regcheck&action=CheckBundle%2E152&success=true&debug=mjc&nocache=531
# retadpu.php, many occurrences
wr.mcboo.com HTTP/1.1 2414 372 GET
http://wr.mcboo.com/retadpu.php?&version=88&configversion=2&GUID=398A19E5B68626144486385170FD0CE3C6832B0F3399395E6FF917E3C2832212339B385401B4&cmd=61A847B5BBF728173599284503996897
C881250221C8670836AC4FA7C88332017491394662EA4EBF968951185EFC412806867680AEDE604D64C2661377FE13FD97CB77&p=1&i=,:83,:83,:83,:84,152:1,148:1,:85,:88,152:1,152:1,152:1&x=121685
3799
Notable also is that the request for /17PHolmes.cmt in our cases had
an irregular User-Agent:
47 45 54 20 2F 31 37 50 48 6F 6C 6D 65 73 2E 63
6D 74 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65
72 2D 41 67 65 6E 74 3A 20 54 45 53 54 0D 0A 48
6F 73 74 3A 20 6B 73 6E 2E 61 35 37 32 2E 77 72
73 2E 6D 63 62 6F 6F 2E 63 6F 6D 0D 0A 43 61 63
68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63
61 63 68 65 0D 0A 0D 0A
GET /17PHolmes.cmt HTTP/1.1
User-Agent: TEST
Host: ksn.a572.wrs.mcboo.com
Cache-Control: no-cache
--
Darren Spruell
phatbuckett at gmail.com
More information about the Emerging-sigs
mailing list