[Emerging-Sigs] Unknown C&C sample

[Matt Jonkman]

Have an interesting one. No specific detection by AV yet, and it's been 
in my queue for a week now.

C&C I caught was on port 2000 tcp. Haven't totally decoded it, but there 
are definite patterns to the checkin and keepalive activity. There's a 
very large encoded data upload, several megabytes, after the initial 
checkin. Then just keepalive.

Sample MD5 is 41c62970ea34413c4011b220724bf029. Happy to share with 
anyone that wants to try to reverse it.

These sigs are listed as unknown in current events for now. Will put 
them in a more appropriate place with an appropriate name once it has 
one, or we identify what it really is.


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS 
Unknown Trojan CnC Channel Packet 1"; flowbits:isnotset,ET.unk.1; 
flow:established,to_server; dsize:<200; content:"|83 00 d0 00|"; 
depth:4; flowbits:set,ET.unk.1; flowbits:noalert; 
classtype:trojan-activity; sid:2008006; rev:1;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS 
Unknown Trojan CnC Channel Packet 1 reply"; flowbits:isset,ET.unk.1; 
flow:established,from_server; dsize:<10; content:"|05 00 00 00|"; 
depth:4; flowbits:set,ET.unk.2; classtype:trojan-activity; sid:2008007; 
rev:1;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS 
Unknown Trojan CnC Channel Checkin Replies"; flowbits:isset,ET.unk.2; 
flow:established,to_server; dsize:<20; content:"|09 00 00 00|"; depth:4; 
classtype:trojan-activity; sid:2008008; rev:1;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS 
Unknown Trojan CnC Channel Keepalive Pong"; flow:established,to_server; 
dsize:<40; content:"|20 00 00 00 f8 4d b2 77|"; depth:8; 
classtype:trojan-activity; sid:2008009; rev:1;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS 
Unknown Trojan CnC Channel Keepalive Ping"; flow:established,to_server; 
dsize:<25; content:"|12 00 00 00|"; depth:4; classtype:trojan-activity; 
sid:2008010; rev:1;)


Please reports hits or info!


Matt
-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc