[Emerging-Sigs] CURRENT_EVENTS Gicia.info Related Trojan Checkin additional data

Matt Jonkman jonkman at jonkmans.com
Tue Jan 6 12:11:11 EST 2009


Also noticed in our samples (as in below) that every id starts with 1-1.
Adding that to eliminate and FPs.

Matt

Darren Spruell wrote:
> Searching through proxy logs for a compromised host I encountered
> activity that seems to be tied to the trojan in the following rules:
> 
> #by Philipp Bescht
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)";
> flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase;
> uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008382;
> rev:2;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)";
> flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase;
> uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008383;
> rev:2;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)";
> flow:established,to_server; uricontent:"/cd/un.php?id="; nocase;
> uricontent:"&ver=ig"; nocase; classtype:trojan-activity; sid:2008384;
> rev:2;)
> 
> Client requests:
> 
> hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> 
> With the 'ver' parameter being variable we should get more matches if
> it's loosened a bit:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)";
> flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase;
> uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008382;
> rev:3;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)";
> flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase;
> uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008383;
> rev:3;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)";
> flow:established,to_server; uricontent:"/cd/un.php?id="; nocase;
> uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008384;
> rev:3;)
> 
> Any common naming of the trojan?
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list