[Emerging-Sigs] High false positive rate ET TROJAN Kazy/Kryptor/Cycbot Checkin 3

Matt Jonkman jonkman at emergingthreats.net
Wed Dec 19 10:57:04 HAST 2012

Dang, ya. With the cgi in there it will false.

We have many issues with the whole family of those sigs. Kazy does decoy
checking, same request and uri, to legit sites as well as it's cnc. Tens to
hundreds per infection.

I'll kill this sig, we need a better way. We'll dig into it.

Thanks Matt!


On Wed, Dec 12, 2012 at 10:31 PM, matt <sendtomatt at gmail.com> wrote:

>  In FreeBSD land, a bug report is called a "PR" (problem report). The cgi
> interface for viewing these @ freebsd.org uses ?pr= in the get URL.
> Here is an example URL that will trigger the false positive:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/169319
> This rule may be overly vague, or cause undue concern that a host is
> infected.
> This could be resolved by either making a more specific rule to the trojan
> (not sure there)
> or changing the language of the rule to include something like "Possible
> trojan"
> Please CC me in responses, I'm not subscribed to the list.
> Thanks,
> Matt M
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!


Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121219/2e95ca37/attachment.html>

More information about the Emerging-sigs mailing list