#alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET TROJAN Infected System Looking up chr.santa-inbox.com CnC? Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:trojan-activity; sid:2008531; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-11-10 16:17:51 UTC


alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET TROJAN Infected System Looking up chr.santa-inbox.com CnC? Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:trojan-activity; sid:2008531; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:41 UTC


alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET TROJAN Infected System Looking up chr.santa-inbox.com CnC? Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:trojan-activity; sid:2008531; rev:4;)

Added 2014-09-12 16:28:25 UTC


alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC? Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:trojan-activity; sid:2008531; rev:4;)

Added 2011-10-12 19:25:19 UTC


alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC? Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; fast_pattern:only; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; sid:2008531; rev:4;)

Added 2011-09-14 22:38:46 UTC


alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC? Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; fast_pattern:only; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_santa-inbox.com; sid:2008531; rev:4;)

Added 2011-02-04 17:27:43 UTC


alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC? Server"; content:"|03|chr|0b|santa-inbox|03|com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_santa-inbox.com; sid:2008531; rev:2;)

Added 2009-02-06 19:00:54 UTC


alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC? Server"; content:"|03|chr|0b|santa-inbox|03|com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_santa-inbox.com; sid:2008531; rev:2;)

Added 2009-02-06 19:00:54 UTC


alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC? Server"; content:"|03|chr|0b|santa-inbox|03|com"; nocase; classtype:trojan-activity; sid:2008531; rev:1;)

Added 2008-08-31 22:30:22 UTC

Lookups like:

737375.1.b400c378bd48feacf87a24f92546e3f0.chr.santa-inbox.com

are being made by a trojan called Ntlin, Peed, etc.

Antivirus2008.com and other fake AV scams, mostly RBN related are involved. If you see lookups like above you have a problem, find the source.

-- MattJonkman - 02 Sep 2008


Topic revision: r2 - 2008-09-02 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats