[Emerging-Sigs] CURRENT_EVENTS Gicia.info Related Trojan Checkin additional data

Matt Jonkman jonkman at jonkmans.com
Tue Jan 6 12:06:13 EST 2009


I agree, those changes should be reliable. I'll get them posted now.

As for a name on the trojan, here's about as standard as we get:

Trj/Downloader.UUP
TR/VB.djc
Trojan.VB.djc
Trojan:Win32/Piptea.A
avariant of Win32/Kryptik.DQ
InformationStealer
Heuristic.Crypted
Sus/Behav-273

Pick the one you like best. :)

It is remaining stable though, so I'll move these sigs over to the main
ruleset.

Thanks Darren!!

Matt

Darren Spruell wrote:
> Searching through proxy logs for a compromised host I encountered
> activity that seems to be tied to the trojan in the following rules:
> 
> #by Philipp Bescht
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)";
> flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase;
> uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008382;
> rev:2;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)";
> flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase;
> uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008383;
> rev:2;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)";
> flow:established,to_server; uricontent:"/cd/un.php?id="; nocase;
> uricontent:"&ver=ig"; nocase; classtype:trojan-activity; sid:2008384;
> rev:2;)
> 
> Client requests:
> 
> hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> 
> With the 'ver' parameter being variable we should get more matches if
> it's loosened a bit:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)";
> flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase;
> uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008382;
> rev:3;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)";
> flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase;
> uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008383;
> rev:3;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)";
> flow:established,to_server; uricontent:"/cd/un.php?id="; nocase;
> uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008384;
> rev:3;)
> 
> Any common naming of the trojan?
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list