[Emerging-Sigs] CURRENT_EVENTS Gicia.info Related Trojan Checkin additional data

Matt Jonkman jonkman at jonkmans.com
Tue Jan 6 12:19:37 EST 2009


Gone with this, look right?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Piptea.a Related Trojan Checkin (1)"; flow:established,to_server;
uricontent:"/cd/cd.php?id="; uricontent:"&ver=";
pcre:"/\/cd\/cd\.php.id=[A-F0-9\-]+&ver=/U"; classtype:trojan-activity;
sid:2008382; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Piptea.a Related Trojan Checkin (2)"; flow:established,to_server;
uricontent:"/cd/un2.php?id="; uricontent:"&ver=";
pcre:"/\/cd\/un2\.php.id=[A-F0-9\-]+&ver=/U"; classtype:trojan-activity;
sid:2008383; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Piptea.a Related Trojan Checkin (3)"; flow:established,to_server;
uricontent:"/cd/un.php?id=";  uricontent:"&ver=";
pcre:"/\/cd\/un\.php.id=[A-F0-9\-]+&ver=/U"; classtype:trojan-activity;
sid:2008384; rev:3;)



Darren Spruell wrote:
> Searching through proxy logs for a compromised host I encountered
> activity that seems to be tied to the trojan in the following rules:
> 
> #by Philipp Bescht
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)";
> flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase;
> uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008382;
> rev:2;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)";
> flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase;
> uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008383;
> rev:2;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)";
> flow:established,to_server; uricontent:"/cd/un.php?id="; nocase;
> uricontent:"&ver=ig"; nocase; classtype:trojan-activity; sid:2008384;
> rev:2;)
> 
> Client requests:
> 
> hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1
> 
> With the 'ver' parameter being variable we should get more matches if
> it's loosened a bit:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)";
> flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase;
> uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008382;
> rev:3;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)";
> flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase;
> uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008383;
> rev:3;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)";
> flow:established,to_server; uricontent:"/cd/un.php?id="; nocase;
> uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008384;
> rev:3;)
> 
> Any common naming of the trojan?
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list