[Emerging-Sigs] [Fwd: RE: alert: New event: ET TROJAN Srizbi registering with controller]

Michael Scheidell scheidell at secnap.net
Fri Jan 9 15:35:59 EST 2009


  ES folks:


wondering if the original link which shows the target port to be 4099 is 
still true, or did this morph?

the original link:

http://www.secureworks.com/research/threats/ronpaul/

shows these two sigs: .. it seems the rev4 sig we have not doesn't look 
for port 4099 only, and may be prone to FP's.

alert udp any 1024: -> any 4099  (msg:"Trojan.Srizbi registering with 
controller";
    dsize:20;  content:"|2d|"; offset:6; content:"|2d|"; distance:6;  
within:1;
    classtype:trojan-activity;  
reference:url,www.secureworks.com/research/threats/srizbispam; 
sid:100000001; 
    rev:1;)


alert tcp any any -> any 4099  (msg:"Trojan.Srizbi requesting template"; 
    content:"GET|20|/"; depth:5; content:"|0d0a|X-Flags|3a20|";  
within:200; content:"|
    0d0a|X-TM|3a20|"; within:20;  content:"|0d0a|X-BI|3a20|"; within:20; 
    reference:url.www.secureworks.com/research/threats/srizbispam; 
sid:100000002; 
    rev:1;)


current sig: (as you see from our log, the target port is 1033... not 
4099.. and in fact, this sorta looks like MAYBE 1033 is the source 
(>1024) port and 4743 is the target.

/etc/snort/rules/emerging-virus.rules:alert udp $HOME_NET 1024: -> 
$EXTERNAL_NET 1024: (msg:"ET TROJAN Srizbi registering with controller"; 
dsize:20;  content:"|2d|"; offset:6; content:"|2d|"; distance:6;  
within:1; classtype:trojan-activity;  
reference:url,www.secureworks.com/research/threats/ronpaul/; 
sid:2007711; rev:4;)
/etc/snort/rules/sid-msg.map:2007711 || ET TROJAN Srizbi registering 
with controller || url,www.secureworks.com/research/threats/ronpaul/

01/09-14:51:28 UDP 192.168.200.103:4737 
<https://gazit.hackertrap.net/base/base_stat_ipaddr.php?ip=192.168.200.103> 
--> 12.149.76.125:1033 
<https://gazit.hackertrap.net/base/base_stat_ipaddr.php?ip=12.149.76.125>
[1:2007711:4] <http://www.snort.org/pub-bin/sigs.cgi?sid=2007711> ET 
TROJAN Srizbi registering with controller
[Classification: A Network Trojan was detected] [Priority: 1]


-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * King of Spam Filters, SC Magazine 2008
    * Information Security Award 2008, Info Security Products Guide
    * CRN Magazine Top 40 Emerging Security Vendors


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090109/29eebbde/attachment.html


More information about the Emerging-sigs mailing list