[Emerging-Sigs] 2008665 content match

Matt Jonkman jonkman at jonkmans.com
Sun Jan 11 10:00:34 EST 2009


Darren Spruell wrote:
> 
> -----------
> POST /baasseulu/nehyaq.php?btn=pc1_00436655&q=mix3 HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> Host: 3876373tr.org
> Content-Length: 564
> Connection: Keep-Alive
> Cache-Control: no-cache
> 
> SOFT,...÷.ò^M....êêã.Þúá&Ö.....
> -----------
> 
> Maybe this rule works:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Obfiscator.vc or Related Infection Checkin";
> flow:established,to_server; uricontent:"btn="; uricontent:"q=";
> content:"|0d 0a 0d 0a|SOFT"; classtype:trojan-activity; sid:2008665;
> rev:3;)

Agreed, good change, thanks Darren. Posting now.

> 
> Also, is the above actually Zbot/Zeus?
> 
> http://www.threatexpert.com/report.aspx?md5=623a5a90adb79e01b2b29fac13aef26f
> 
> 2008661 identifies a very similar request as Zbot:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Zbot/Zeus HTTP POST"; flow:to_server,established; content:"POST ";
> depth:5; uricontent:".php?"; uricontent:"zip="; uricontent:"type=";
> uricontent:"name="; uricontent:"q=";  uricontent:"item=";
> uricontent:"id=";  uricontent:"rdp=";  classtype:trojan-activity;
> sid:2008661; rev:1;)

It's possible, but there are enough dissimilarities that make you
wonder. But either way, we have sigs for both. Break out the AV! :)

Matt


> 
> POST /baasseulu/nehyaq.php?zip=pc1_003c4571&type=0&name=16843776&q=mix3&item=281&id=0&rdp=0
> HTTP/1.0
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> Host: 3876373tr.org
> Content-Length: 0
> Connection: Keep-Alive
> Pragma: no-cache
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list