[Emerging-Sigs] sid 2011827: Xilcter? Win32.Patched.jw?

Packet Hack pckthck at gmail.com
Tue Oct 26 08:19:38 EDT 2010


I just realized we're already ticketing events with payloads like this:

   /message.php?subid=

as Xilcter:

  http://www.google.com/search?q=site:threatexpert.com+%22/message.php%3Fsubid%3D%22+xilcter&num=100&hl=en&safe=off&client=firefox-a&hs=2di&rls=org.mozilla:en-US:official&filter=0

A sample payload from the past year:

   GET /message.php?subid=10&version=_v25 HTTP/1.1
   Host: mynewworldorder.cn
   User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)

They all start with /message.php?subid= but vary a little.

sid 2011827 (ET TROJAN Zeus related malware dropper reporting in) just
tripped on this one:

   GET /message.php?subid=476&br=IE_8.00&os=21&flg=53&id=71B2A0A95AC1EC173A8BE2819EA95676&ad=in&ver=_if12
HTTP/1.1
   Host: nanocloudcontroller.com
   User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

The only hits I found identifying payloads that match the current sig
are from zhhacker.com :

http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.zhhacker.com/bbs/viewthread.php%3Ftid%3D3303%26extra%3Dpage%253D1&ei=IcTGTOjLMIS8lQeApvDyAQ&sa=X&oi=translate&ct=result&resnum=3&ved=0CCQQ7gEwAg&prev=/search%3Fq%3D%2522/message.php%253Fsubid%253D%2522%2B%2522os%253D%2522%2B%2522br%253D%2522%2B%2522flg%253D%2522%26num%3D100%26hl%3Den%26safe%3Doff%26client%3Dfirefox-a%26hs%3DiMO%26rls%3Dorg.mozilla:en-US:official

Anyway, just food for thought for a malware name to go with this one.

-- pckthck


More information about the Emerging-sigs mailing list