[Emerging-Sigs] observation on 2008041 and 2008042

Russell Fulton r.fulton at auckland.ac.nz
Wed Mar 26 07:45:28 EST 2008 

in all the case I have seen I have a several destination addresses  
with traffic split between them, eg:

2008-03-26 02:14:19 	 ET TROJAN Hupigon CnC init (variant abb) 	  
130.216.176.10 arch-oa205831.creative.auckland.ac.nz  	 80.34.213.235  
235.Red-80-34-213.staticIP.rima-tde.net  	6 	44
2008-03-26 02:29:59 	ET TROJAN Hupigon CnC init (variant abb) 	 
130.216.176.10 arch-uoa205831.creative.auckland.ac.nz 	80.34.213.235  
235.Red-80-34-213.staticIP.rima-tde.net 	6 	44
2008-03-26 02:33:47 	ET TROJAN Hupigon CnC init (variant abb) 	 
130.216.176.10 arch-uoa205831.creative.auckland.ac.nz 	80.34.213.235  
235.Red-80-34-213.staticIP.rima-tde.net 	6 	44
2008-03-26 02:49:38 	ET TROJAN Hupigon CnC init (variant abb) 	 
130.216.176.10 arch-uoa205831.creative.auckland.ac.nz 	201.29.204.148  
20129204148.user.veloxzone.com.br 	6 	44
2008-03-26 02:49:58 	ET TROJAN Hupigon CnC init (variant abb) 	 
130.216.176.10 arch-uoa205831.creative.auckland.ac.nz 	116.75.149.14  
None 	6 	44
2008-03-26 03:02:29 	ET TROJAN Hupigon CnC init (variant abb) 	 
130.216.176.10 arch-uoa205831.creative.auckland.ac.nz 	80.34.213.235  
235.Red-80-34-213.staticIP.rima-tde.net 	6 	44
2008-03-26 04:46:08 	ET TROJAN Hupigon CnC init (variant abb) 	 
130.216.176.10 arch-uoa205831.creative.auckland.ac.nz 	116.75.149.14  
None 	6 	44
2008-03-26 07:34:26 	ET TROJAN Hupigon CnC init (variant abb) 	 
130.216.176.10 arch-uoa205831.creative.auckland.ac.nz 	121.247.80.107  
121.247.80.107.chennai-dynamic-bb.vsnl.net.in 	6 	44
2008-03-26 09:28:18 	ET TROJAN Hupigon CnC init (variant abb) 	 
130.216.176.10 arch-uoa205831.creative.auckland.ac.nz 	89.1.246.167  
89.1.246.167.dynamic.barak-online.net 	6 	44
2008-03-26 09:28:22 	ET TROJAN Hupigon CnC init (variant abb) 	 
130.216.176.10 arch-uoa205831.creative.auckland.ac.nz 	89.1.246.167  
89.1.246.167.dynamic.barak-online.net 	6 	44
2008-03-26 10:16:39 	ET TROJAN Hupigon CnC init (variant abb) 	 
130.216.176.10 arch-uoa205831.creative.auckland.ac.nz 	82.241.60.157  
tro83-1-82-241-60-157.fbx.proxad.net 	6 	44



On 27/03/2008, at 1:33 AM, Russell Fulton wrote:
> I'm seeing lots (1000s) of hits on these rules some I've confirmed  
> are FPs from these caused by Bit Torrent traffic.  Others ??
>
> I'll try and get some pcaps.
>
> Russell
>

More information about the Emerging-sigs mailing list