[Emerging-Sigs] Unknown Trojan, Possible ZeuS?

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 20 19:31:24 EDT 2010


Posting, thanks Eoin!

Matt


On Oct 20, 2010, at 2:06 PM, Eoin Miller wrote:

>  On 10/20/2010 1:46 PM, Eoin Miller wrote:
>>   So after seeing an infected system repeatedly check for connectivity
>> using the odd ZeuS client http library, I saw the same host making these
>> requests over and over to a parked domain that was no longer accessible:
>> 
>> GET
>> /message.php?subid=481&br=IE_7.00&os=13&flg=53&id=258b264d843800bb9b0c3e5841a
>> 3a683&ad=in HTTP/1.1
>> Host: aafef834e4a12df1066a2656aecab1b7.co.cc
>> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
>> 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
>> 3.5.30729; InfoPath.2; .NET 4.0E)
>> 
>> This URI look somewhat familiar to anyone? How the client header is
>> formed is obviously weird..
>> 
>> -- Eoin
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> Coworker pointed me to some malware reports that have similiar URL's. I 
> wrote this to detect it, looks like some kind of common dropper that 
> will reach out and pulldown zbot's and other naughty things.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TROJAN 
> malware dropper reporting in"; flow:established,to_server; 
> content:"subid="; http_uri; content:"br="; http_uri; content:"os="; 
> http_uri; content:"flg="; http_uri; classtype:trojan-activity; 
> sid:5600178; rev:1;)
> 
> Don't know the name/type of dropper for this though, and the reports 
> seem to have various names for it.
> 
> http://www.threatexpert.com/report.aspx?md5=21b0865aba809e6751a2bced001561a4
> http://www.threatexpert.com/report.aspx?md5=c21a1c48552d4493103dae4e95e80660
> http://www.malwareurl.com/listing.php?domain=wearegoingwhite.info
> http://www.malware-control.com/statics-pages/1ffef8b1b212e8390fa707cbc28fbc75.php
> 
> http://jsunpack.jeek.org/dec/go?report=7b5f9f9b59115042f426a084635be8ccab5fa2f9
> http://jsunpack.jeek.org/dec/go?report=7f83ff4fbc563d282bcc61f1bd88371126345821
> http://jsunpack.jeek.org/dec/go?report=510e1a4af6e95f7545152acfbc06416f80dc10f9
> http://jsunpack.jeek.org/dec/go?report=7b5f9f9b59115042f426a084635be8ccab5fa2f
> 
> 
> Anyone else have any insight?
> 
> -- Eoin
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list