Backdoor.Win32.Assasin.20.C

Associated with sigs 2008675 , 2008676 , and 2008677

Re sample c6f326609487aaae451366728ec5cdd9

Interesting CnC?. Opens several connections on ports between 90-100. The easiest to sig was on port 01 and looks like a report/keepalive connection like so:

 

110000351^*192.168.XX.XX^\Share^2^HOME-XXXXXXXXX\bob^0^oz7x~?a

10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16

See, easy to sig. Those sigs ought to catch it. Will watch for variants using other port ranges.

Matt

-- MattJonkman - 17 Oct 2008

Topic revision: r1 - 2008-10-17 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats