[Emerging-Sigs] ET TROJAN Win32.VBNA.b Checkin Signature

Martin Holste mcholste at gmail.com
Mon Oct 10 15:36:57 EDT 2011


I'd try to see if there was anything unique about the user agent or
headers.  The response the client sends would be the same for legit
and illegitimate uses, so unless we went with just a policy sig, there
will always be false positives.

On Mon, Oct 10, 2011 at 2:28 PM, Micah Kays <micah.d.kays at gmail.com> wrote:
> That was the only traffic generated.
>
> Thank you Mr. Holste.
>
> P.S. - My IP address and country were revealed back to the destination
> server. Should i try writing a signature based on that?
>
> On 10/10/11, Martin Holste <mcholste at gmail.com> wrote:
>> I'm assuming these are to api.ipinfodb.com?  That looks like a legit
>> site, so, much like adobe.com's geoip.php, this is another abuse of a
>> legit service.  The problem is that while Adobe's page seemed largely
>> unused by legit apps, I see plenty of legit apps using this page.  Is
>> there no other traffic to create a check-in sig on?
>>
>> On Sun, Oct 9, 2011 at 10:58 PM, Micah Kays <micah.d.kays at gmail.com> wrote:
>>> alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN
>>> Win32.VBNA.b Checkin"; content:"GET"; http_method;
>>> uricontent:"ip_query_country.php?key="; uricontent:"&timezone=";
>>> classtype:trojan-activity;
>>> reference:url,http://www.threatexpert.com/report.aspx?md5=0d6cd3944f0dc79275727393c66ab744
>>> sid:001; rev:1;)
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>>> Current!
>>>
>>
>


More information about the Emerging-sigs mailing list