Backdoor.Win32.Assasin.20.C
Associated with sigs 2008675 , 2008676 , and 2008677 Re sample c6f326609487aaae451366728ec5cdd9 Interesting CnC?. Opens several connections on ports between 90-100. The easiest to sig was on port 01 and looks like a report/keepalive connection like so:110000351^*192.168.XX.XX^\Share^2^HOME-XXXXXXXXX\bob^0^oz7x~?a 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16See, easy to sig. Those sigs ought to catch it. Will watch for variants using other port ranges. Matt -- MattJonkman - 17 Oct 2008
Edit | Attach | Print version | History: r1 | Backlinks | Raw View | WYSIWYG | More topic actionsTopic revision: r1 - 2008-10-17 - MattJonkman
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats