[Emerging-Sigs] Are these FPs or not?

Christopher Granger chrisgrangerx at gmail.com
Wed Dec 12 13:30:02 HAST 2012


I checked recent alerts on 2012801. TPs appear to be HTTP POST requests via
8080/TCP, sampling over the last 30 days. FPs are definitely possible from
certain apps. I still see evidence that Ponmocup is not generating
anomalous UAs by changing system settings, but instead writing the HTTP
field value (and probably the rest of the header) for each C2 request.

On Wed, Dec 12, 2012 at 5:02 PM, Christopher Granger <
chrisgrangerx at gmail.com> wrote:

> This was dealing w/ Ponmocup variants around more than a year ago,
> however. I haven't been following this malware too closely since.
>
>
> On Wed, Dec 12, 2012 at 5:01 PM, Christopher Granger <
> chrisgrangerx at gmail.com> wrote:
>
>> Russell,
>>
>> In my past observations of Ponmocup, I was able to validate compromises
>> by observing HTTP requests out from suspected infections that were known
>> unrelated to C&C beaconing. The UA tokens were only altered on requests to
>> suspected C&C servers, proving the presence of malicious logic that was
>> writing it's own C&C requests.
>>
>> -Chris
>>
>>
>> On Wed, Dec 12, 2012 at 4:29 PM, Russell Fulton <r.fulton at auckland.ac.nz>wrote:
>>
>>>
>>> ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup     2012801
>>>
>>> WE have one machine on our wireless network which is repeatedly
>>> triggering this alert on what are clearly legitimate queries including
>>> things like this:
>>>
>>> GET /complete/search?output=firefox&hl=en&q=sion HTTP/1.1
>>> Connection: close
>>> Host: suggestqueries.google.com
>>> User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
>>>
>>> On an infected machine does the useragent string get used on traffic
>>> generated by the malware or does the default UA get changed?
>>>
>>> Russell
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>>> Current!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121212/a6cd46aa/attachment.html>


More information about the Emerging-sigs mailing list