[Emerging-Sigs] Unknown Trojan posting

Martin Holste mcholste at gmail.com
Mon Oct 24 15:08:29 EDT 2011


I picked up this one posting out to a couple sites: d0ct0rh0use.com
(213.5.68.105, not on RBN) and with-love.me (109.236.81.117, on RBN).
It looks like the UA remains constant, as does the URI:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Unknown checkin"; content: "POST": http_method; content:"/c.php";
http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3b| MSIE
8.0|3b| Windows NT 5.1|3b| Trident/4.0|3b| )|0d 0a|"; http_header;
classtype:trojan-activity; sid:x; rev:x;)

Here's some example traffic:

POST /us/c.php HTTP/1.0
Accept: text/html, */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=------ntmrfishjfqgvmk
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; )
Host: d0ct0rh0use.com
Content-Length: 526
Pragma: no-cache

--------ntmrfishjfqgvmk
Content-Disposition: form-data; name="1"

...S..r).7<W]8.0.....I...-%.j.M....^@
.=..... ....s.....&.Ws.P..S.~;..^
L.5....s..r...k5o.....`C...Z.o.8.7E......S.=?.y..i....M.'..l
.=......W..G.....\].:
hYr...g...
--------ntmrfishjfqgvmk
Content-Disposition: form-data; name="0"

..\... ....-...r	..{....VH.0h!7B...il..<..$..j.....z.o...Q..+:..)..D....i#...=8......K.].1`....E._.2..R8p...}.....J..<...^6..........*2=.H........h......8...,VV...,Ah...z.L8.......V..."wt.
--------ntmrfishjfqgvmk--


More information about the Emerging-sigs mailing list