[Emerging-Sigs] Are these FPs or not?

Christopher Granger chrisgrangerx at gmail.com
Wed Dec 12 14:13:10 HAST 2012


Example requests from validated infections, each using a unique set of C&C
servers

[image: Inline image 2]
[image: Inline image 1]

On Wed, Dec 12, 2012 at 6:30 PM, Christopher Granger <
chrisgrangerx at gmail.com> wrote:

> I checked recent alerts on 2012801. TPs appear to be HTTP POST requests
> via 8080/TCP, sampling over the last 30 days. FPs are definitely possible
> from certain apps. I still see evidence that Ponmocup is not generating
> anomalous UAs by changing system settings, but instead writing the HTTP
> field value (and probably the rest of the header) for each C2 request.
>
>
> On Wed, Dec 12, 2012 at 5:02 PM, Christopher Granger <
> chrisgrangerx at gmail.com> wrote:
>
>> This was dealing w/ Ponmocup variants around more than a year ago,
>> however. I haven't been following this malware too closely since.
>>
>>
>> On Wed, Dec 12, 2012 at 5:01 PM, Christopher Granger <
>> chrisgrangerx at gmail.com> wrote:
>>
>>> Russell,
>>>
>>> In my past observations of Ponmocup, I was able to validate compromises
>>> by observing HTTP requests out from suspected infections that were known
>>> unrelated to C&C beaconing. The UA tokens were only altered on requests to
>>> suspected C&C servers, proving the presence of malicious logic that was
>>> writing it's own C&C requests.
>>>
>>> -Chris
>>>
>>>
>>> On Wed, Dec 12, 2012 at 4:29 PM, Russell Fulton <r.fulton at auckland.ac.nz
>>> > wrote:
>>>
>>>>
>>>> ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup     2012801
>>>>
>>>> WE have one machine on our wireless network which is repeatedly
>>>> triggering this alert on what are clearly legitimate queries including
>>>> things like this:
>>>>
>>>> GET /complete/search?output=firefox&hl=en&q=sion HTTP/1.1
>>>> Connection: close
>>>> Host: suggestqueries.google.com
>>>> User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
>>>>
>>>> On an infected machine does the useragent string get used on traffic
>>>> generated by the malware or does the default UA get changed?
>>>>
>>>> Russell
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at lists.emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>> http://www.emergingthreatspro.com
>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>>>> Current!
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121212/2ef9b1f7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 17414 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121212/2ef9b1f7/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 14445 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121212/2ef9b1f7/attachment-0003.png>


More information about the Emerging-sigs mailing list