[Emerging-Sigs] sid 2011827: Xilcter? Win32.Patched.jw?

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 26 08:44:49 EDT 2010


Much better info, updating. Thanks!

Matt

On Oct 26, 2010, at 8:19 AM, Packet Hack wrote:

> I just realized we're already ticketing events with payloads like this:
> 
>    /message.php?subid=
> 
> as Xilcter:
> 
>   http://www.google.com/search?q=site:threatexpert.com+%22/message.php%3Fsubid%3D%22+xilcter&num=100&hl=en&safe=off&client=firefox-a&hs=2di&rls=org.mozilla:en-US:official&filter=0
> 
> A sample payload from the past year:
> 
>    GET /message.php?subid=10&version=_v25 HTTP/1.1
>    Host: mynewworldorder.cn
>    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
> GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> 
> They all start with /message.php?subid= but vary a little.
> 
> sid 2011827 (ET TROJAN Zeus related malware dropper reporting in) just
> tripped on this one:
> 
>   GET /message.php?subid=476&br=IE_8.00&os=21&flg=53&id=71B2A0A95AC1EC173A8BE2819EA95676&ad=in&ver=_if12
> HTTP/1.1
>   Host: nanocloudcontroller.com
>   User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
> 
> The only hits I found identifying payloads that match the current sig
> are from zhhacker.com :
> 
> http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.zhhacker.com/bbs/viewthread.php%3Ftid%3D3303%26extra%3Dpage%253D1&ei=IcTGTOjLMIS8lQeApvDyAQ&sa=X&oi=translate&ct=result&resnum=3&ved=0CCQQ7gEwAg&prev=/search%3Fq%3D%2522/message.php%253Fsubid%253D%2522%2B%2522os%253D%2522%2B%2522br%253D%2522%2B%2522flg%253D%2522%26num%3D100%26hl%3Den%26safe%3Doff%26client%3Dfirefox-a%26hs%3DiMO%26rls%3Dorg.mozilla:en-US:official
> 
> Anyway, just food for thought for a malware name to go with this one.
> 
> -- pckthck
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list