EmergingThreats> Main Web>2007774 (revision 2)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; distance:50; content:"&clientid="; distance:50; content:"&time="; distance:50; content:"&idle="; distance:50; content:"&ticksBoot="; distance:50; classtype:trojan-activity; sid:2007774; rev:3;)

Added 2008-02-01 09:16:23 UTC

Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

-- RegQuinton - 08 Feb 2008

I'm seeing quite a few alarms on our residences.

They all involve the same server ads.netbios-local.com (64.34.228.126). Signature matches exactly and I have information that ads.netbios-loca.com is a nasty site. See

http://malwaredomains.com/?cat=6

But that's a bit circular -- Emerging Threats identified them and provideds the signatures I'm using.

Here's the packet capture.

[12:57pm dominic] more /tmp/foo 02/08-11:43:33.653976 129.97.NNN.MMM:1037 -> 64.34.228.126:80 TCP TTL:124 TOS:0x0 ID:95 IpLen?:20 DgmLen?:250 DF **AP** Seq: 0x9694BA5 Ack: 0x1FC3349A Win: 0xFFFF TcpLen?: 20 50 4F 53 54 20 2F 74 62 61 2F 70 20 48 54 54 50 POST /tba/p HTTP 2F 31 2E 31 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 /1.1..Content-Le 6E 67 74 68 3A 20 32 39 37 0D 0A 43 6F 6E 74 65 ngth: 297..Conte 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 nt-Type: applica 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F 72 6D 2D tion/x-www-form- 75 72 6C 65 6E 63 6F 64 65 64 0D 0A 55 73 65 72 urlencoded..User 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F -Agent: Mozilla/ 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 4.0 (compatible; 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 6F MSIE 6.0; Windo 77 73 20 4E 54 20 35 2E 31 29 0D 0A 41 63 63 65 ws NT 5.1)..Acce 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 pt-Encoding: gzi 70 0D 0A 48 6F 73 74 3A 20 61 64 73 2E 6E 65 74 p..Host: ads.net 62 69 6F 73 2D 6C 6F 63 61 6C 2E 63 6F 6D 0D 0A bios-local.com.. 0D 0A ..

02/08-11:43:33.854848 129.97.240.153:1037 -> 64.34.228.126:80 TCP TTL:124 TOS:0x0 ID:96 IpLen?:20 DgmLen?:337 DF **AP** Seq: 0x9694C77 Ack: 0x1FC3349A Win: 0xFFFF TcpLen?: 20 67 75 69 64 3D 32 39 32 33 30 35 31 35 38 36 35 guid=29230515865 46 44 38 44 38 38 37 43 43 38 38 31 38 37 34 41 FD8D887CC881874A? 41 38 46 43 33 33 33 34 45 26 76 65 72 73 69 6F A8FC3334E?&versio 6E 3D 38 36 34 34 32 32 30 36 36 44 32 33 26 63 n=864422066D23&c 6C 69 65 6E 74 69 64 3D 36 39 36 43 42 35 46 37 lientid=696CB5F7 30 36 39 45 30 35 46 45 33 43 34 44 26 74 69 6D 069E05FE3C4D&tim 65 3D 41 45 35 45 37 45 44 33 41 45 33 36 46 45 e=AE5E7ED3AE36FE 26 69 64 6C 65 3D 39 32 35 30 38 46 26 6C 6F 63 &idle=92508F&loc 61 6C 65 3D 46 39 34 31 32 32 39 31 33 43 32 32 ale=F94122913C22 26 73 65 73 73 69 6F 6E 3D 42 31 30 42 46 34 38 &session=B10BF48 33 30 44 46 33 26 61 63 74 69 76 65 57 69 6E 64 30DF3&activeWind 6F 77 73 3D 45 31 37 42 30 32 26 74 69 63 6B 73 ows=E17B02&ticks 42 6F 6F 74 3D 41 42 33 36 33 42 44 46 34 39 36 Boot=AB363BDF496 36 33 46 45 39 26 74 69 63 6B 73 41 6C 69 76 65 63FE9&ticksAlive 3D 33 33 36 43 41 37 34 42 39 39 39 42 35 39 26 =336CA74B999B59& 69 6E 73 74 61 6C 6C 54 69 6D 65 3D 30 46 30 43 installTime=0F0C 32 37 39 35 46 39 38 33 42 30 41 32 44 36 36 32 2795F983B0A2D662 37 46 36 42 26 6C 61 75 6E 63 68 43 6F 75 6E 74 7F6B&launchCount 3D 39 45 33 39 36 36 33 43 =9E39663C

-- RegQuinton - 08 Feb 2008


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; distance:50; content:"&clientid="; distance:50; content:"&time="; distance:50; content:"&idle="; distance:50; content:"&ticksBoot="; distance:50; classtype:trojan-activity; sid:2007774; rev:3;)

Added 2008-02-01 09:16:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; distance:10; content:"&clientid="; distance:5; content:"&time="; distance:5; content:"&idle="; distance:5; content:"&ticksBoot="; distance:5; classtype:trojan-activity; sid:2007774; rev:2;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; distance:10; content:"&clientid="; distance:5; content:"&time="; distance:5; content:"&idle="; distance:5; content:"&ticksBoot="; distance:5; classtype:trojan-activity; sid:2007774; rev:2;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Lop.gfr HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; distance:10; content:"&clientid="; distance:5; content:"&time="; distance:5; content:"&idle="; distance:5; content:"&ticksBoot="; distance:5; classtype:trojan-activity; sid:2007774; rev:1;)

Added 2008-01-23 09:49:26 UTC


Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2008-02-08 - RegQuinton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats