EmergingThreats> Main Web>2003460 (revision 2)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet"; flow:established,to_server; dsize:48; content:"|3f 33 7a f8 b5 df 0e 28 cb 58 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f|"; classtype:unknown; reference:url,doc.bleedingthreats.net/2003460; sid:2003460; rev:1;)

Auto-added on 2007-03-01 05:52:13 UTC


Unknown bot. Seeing outbound C&C looking packets on port 3460 like this:

0000 00 0e 0c 33 1c 34 00 0c 29 13 0a 7b 08 00 45 00 ...3.4..)..{..E.

0010 00 58 00 3d 40 00 80 06 6a e5 0a 37 38 1a c1 5a .X.=@...j..78..Z

0020 8b d2 04 04 0d 84 7e 86 e5 be 91 34 9f 64 50 18 ......~....4.dP.

0030 f6 48 c9 7c 00 00 3f 33 7a f8 b5 df 0e 28 cb 58 .H.|..?3z....(.X

0040 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f ]......rJ`.o.{B.

0050 08 80 ae 17 bd 42 f9 ca 5f 25 a6 24 1a 96 76 97 .....B.._%.$..v.

0060 52 c5 ea 20 c1 ce R.. ..

or

0000 00 0e 0c 33 1c 34 00 0c 29 13 0a 7b 08 00 45 00 ...3.4..)..{..E.

0010 00 58 01 ff 40 00 80 06 69 23 0a 37 38 1a c1 5a .X..@...i#.78..Z

0020 8b d2 04 04 0d 84 7e 87 05 fe 91 34 bf a4 50 18 ......~....4..P.

0030 f9 10 8b d8 00 00 3f 33 7a f8 b5 df 0e 28 cb 58 ......?3z....(.X

0040 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f ]......rJ`.o.{B.

0050 08 80 ae 17 bd 42 ce e7 19 57 47 76 b8 21 f2 39 .....B...WGv.!.9

0060 42 45 3d 6e 2f 8f BE=n/.

And return packets like so:

0000 00 0c 29 13 0a 7b 00 0e 0c 33 1c 34 08 00 45 00 ..)..{...3.4..E.

0010 00 28 29 fb 40 00 71 06 50 57 c1 5a 8b d2 0a 37 .().@.q.PW.Z...7

0020 38 1a 0d 84 04 04 91 34 9f 64 7e 86 e5 ee 50 10 8......4.d~...P.

0030 fd 8f 7c 30 00 00 00 00 00 00 00 00 ..|0........

More as we get it... Please report hits

-- MattJonkman - 01 Mar 2007


Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2007-03-01 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats