++Trojan.Dropper-497
Interesting dropper. It uses an http-like channel to checkin and post stats about the system. A checkin starts with the client connecting to the controller in this case on port 8181. It pushes |30 30 30 0d 0a|. Then:
0000 00 00 00 83 3c 47 52 3e 41 d7 e9 3c 2f 47 52 3e ....<GR>A..</GR> 0010 3c 49 4d 3e 32 35 3c 2f 49 4d 3e 3c 4e 41 3e 42 <IM>25</IM><NA>B 0020 4f 42 31 30 3c 2f 4e 41 3e 3c 43 53 3e c4 da cd OB10</NA><CS>... 0030 f8 3c 2f 43 53 3e 3c 4f 53 3e 57 69 6e 58 50 3c .</CS><OS>WinXP< 0040 2f 4f 53 3e 3c 43 50 55 3e 31 35 39 36 20 4d 48 /OS><CPU>1596 MH 0050 7a 3c 2f 43 50 55 3e 3c 4d 45 4d 3e 32 31 31 4d z</CPU><MEM>211M 0060 42 3c 2f 4d 45 4d 3e 3c 53 50 3e ce de ca d3 c6 B</MEM><SP>..... 0070 b5 3c 2f 53 50 3e 3c 42 5a 3e b1 b8 d7 a2 c4 da .</SP><BZ>...... 0080 c8 dd 3c 2f 42 5a 3e ..</BZ>Interesting html-like tags used. The controller responds with |31 39 0d 0a|. Then in a separate packet pushes back:
0000 59 55 4d 41 54 4f 0d 0a 31 32 33 34 0d 0a 30 30 YUMATO..1234..00 0010 30 0d 0a 0..And then another packet from the server a |32 31 0d 0a|. And again from the server:
0000 59 55 4d 41 54 4f 0d 0a 31 32 33 34 0d 0a 30 37 YUMATO..1234..07 0010 30 0d 0a 0d 0a 0....Then from the server |32 32 0d 0a|. And on and on. Seems to be keepalive kind of status after this. Sigs 2007917, 2007918, 2007919 and 2007920 should catch this on any high port. Re sample 4ee001f20beaeb1bf7bb3335491843c6 -- MattJonkman - 05 Mar 2008
Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actionsTopic revision: r2 - 2008-07-11 - MattJonkman
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats