[Emerging-Sigs] CURRENT_EVENTS Gicia.info Related Trojan Checkin additional data

Darren Spruell phatbuckett at gmail.com
Tue Jan 6 03:31:48 EST 2009


Searching through proxy logs for a compromised host I encountered
activity that seems to be tied to the trojan in the following rules:

#by Philipp Bescht
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)";
flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase;
uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008382;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)";
flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase;
uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008383;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)";
flow:established,to_server; uricontent:"/cd/un.php?id="; nocase;
uricontent:"&ver=ig"; nocase; classtype:trojan-activity; sid:2008384;
rev:2;)

Client requests:

hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1

With the 'ver' parameter being variable we should get more matches if
it's loosened a bit:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)";
flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase;
uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008382;
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)";
flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase;
uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008383;
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)";
flow:established,to_server; uricontent:"/cd/un.php?id="; nocase;
uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008384;
rev:3;)

Any common naming of the trojan?

-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list