Backdoor.Win32.Assasin.20.C
Associated with sigs
2008675 ,
2008676 , and
2008677
Re sample c6f326609487aaae451366728ec5cdd9
Interesting
CnC?. Opens several connections on ports between 90-100. The easiest to sig was on port 01 and looks like a report/keepalive connection like so:
110000351^*192.168.XX.XX^\Share^2^HOME-XXXXXXXXX\bob^0^oz7x~?a
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
10000000^*
10000002^*16
See, easy to sig. Those sigs ought to catch it. Will watch for variants using other port ranges.
Matt
--
MattJonkman - 17 Oct 2008