[Emerging-Sigs] Proposed Signature, SpyEye C&C and HTTP Library

evilghost@packetmail.net evilghost at packetmail.net
Wed Oct 27 09:24:08 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New event, it was detected by SID 2002400 from ET and 16669 from VRT, VRT calls
this "Spyeeye bot contact to C&C server attempt".  I propose this submission
into ET, I'll let Eoin and the other malware guys come up with a name for this
if they don't like SpyEye.  It leaked username and workstation name and is
"ZeuS-like".  The second SID *may* false, I have already seen it false against
McAfee AutoUpdate.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - SpyEye
C&C Check-in URI"; flow:established,to_server; content:"guid="; http_uri;
fast_pattern; content:"ver="; http_uri; content:"stat="; http_uri;
content:"ie="; http_uri; content:"os="; http_uri;
pcre:"/(\?|&)guid=.*?!.*?!.*?&/U"; classtype:trojan-activity;
reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot;
sid:2010xxx; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - SpyEye
style HTTP Header GET structure"; flow:established,to_server; content:"GET";
http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent\:|20|"; content:"|0d
0a|Host\:|20|"; distance:0; content:"|0d 0a|Pragma\: no-cache|0d 0a|";
content:!"|0d 0a|Host\: update.nai.com"; distance:0; classtype:trojan-activity;
reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot;
sid:2010xxx; rev:1;)

07:25:57.816276 IP 10.87.8.107.1244 > 193.169.188.3.80: P 1:284(283) ack 1 win
65535
E..C....<..v
W.k.......P.7w..."
P...7...GET
/maincp/gate.php?guid=leaked_username!leaked_workstation_name!D2CE01E9&ver=10280&stat=ONLINE&ie=8.0.6001.18702&os=5.1.2600&ut=User&cpu=98&ccrc=642DA10E&md5=911c34cbb2c5a82fef9ead1580cde36a
HTTP/1.0
User-Agent: Microsoft Internet Explorer
Host: www.galichina.zaporizhzhe.ua
Pragma: no-cache

- -evilghost


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMyCf4AAoJENgimYXu6xOH0QEP/R2bFt1SnQLV11SlMhcEGJps
njyj6KkQ2NrmBlS48Dd4yYuHFqv7Z7ef6Fea6tJNkO3PI1bowaFtLufthKBoccNt
KQGvIZdubSVWS5RMHCg3IGIWiDZNSLpNORJpIr/Tn+C08/Qu8YZxsriq+unpBhoC
sz2+bgEqIxA19yJ7UjfODDNtBqt13Q/yfpsYeZuarFh/0azyIMhcQLO7sWAWTmVw
CdDZSBSl6R1Upme8urhNTnUuICqr3KlxcG29AyNrIqdSn4REfjWjM8nf8dryeg4b
10nTpbKlIvpt8jUVsrd271N9O4IPvq1OoRfXYQ38MYZ0dNqKUBeO89XwBKgihQJu
1OyeJPSvpmz7Tl4pn37wMJqJH5bE32dqRHTpoExYZjB9h053Xtr/DLvdbzORi8LJ
uR/iTMO3zJcM9k1h7jVzuxQg+ymDwIUKMjHda7mvch1TWBqjeCikjOGsDfXiO4Ru
887CjV83z+sRJzju+HbFQB392cg3G49ZIJD/6I7xtmPGb6LHn/7pCa8+jwZK6lkd
VpFale8t+XFn7063W4t+6qDk6L2XT3AuiQywdvcIWVO5ivSxOkMOrJMK+pK6GkxF
LOsm+lrjJdaxvC6lcfp/TzF22W2vBrJAAdNQAaey+bJuLRzMaPjdFrYX1rsQ2g6V
o/UmzHiutWXBoZBMk4S2
=iWrJ
-----END PGP SIGNATURE-----



More information about the Emerging-sigs mailing list