[Emerging-Sigs] Unknown Trojan posting

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 25 16:28:54 EDT 2011


Nice, Pedro is posting as well.

Thanks!

Matt


On Oct 24, 2011, at 3:08 PM, Martin Holste wrote:

> I picked up this one posting out to a couple sites: d0ct0rh0use.com
> (213.5.68.105, not on RBN) and with-love.me (109.236.81.117, on RBN).
> It looks like the UA remains constant, as does the URI:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Unknown checkin"; content: "POST": http_method; content:"/c.php";
> http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3b| MSIE
> 8.0|3b| Windows NT 5.1|3b| Trident/4.0|3b| )|0d 0a|"; http_header;
> classtype:trojan-activity; sid:x; rev:x;)
> 
> Here's some example traffic:
> 
> POST /us/c.php HTTP/1.0
> Accept: text/html, */*
> Connection: keep-alive
> Content-Type: multipart/form-data; boundary=------ntmrfishjfqgvmk
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; )
> Host: d0ct0rh0use.com
> Content-Length: 526
> Pragma: no-cache
> 
> --------ntmrfishjfqgvmk
> Content-Disposition: form-data; name="1"
> 
> ...S..r).7<W]8.0.....I...-%.j.M....^@
> .=..... ....s.....&.Ws.P..S.~;..^
> L.5....s..r...k5o.....`C...Z.o.8.7E......S.=?.y..i....M.'..l
> .=......W..G.....\].:
> hYr...g...
> --------ntmrfishjfqgvmk
> Content-Disposition: form-data; name="0"
> 
> ..\... ....-...r	..{....VH.0h!7B...il..<..$..j.....z.o...Q..+:..)..D....i#...=8......K.].1`....E._.2..R8p...}.....J..<...^6..........*2=.H........h......8...,VV...,Ah...z.L8.......V..."wt.
> --------ntmrfishjfqgvmk--
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list