++Trojan.Dropper-497
Interesting dropper. It uses an http-like channel to checkin and post stats about the system. A checkin starts with the client connecting to the controller in this case on port 8181. It pushes |30 30 30 0d 0a|. Then:
0000 00 00 00 83 3c 47 52 3e 41 d7 e9 3c 2f 47 52 3e ....<GR>A..</GR>
0010 3c 49 4d 3e 32 35 3c 2f 49 4d 3e 3c 4e 41 3e 42 <IM>25</IM><NA>B
0020 4f 42 31 30 3c 2f 4e 41 3e 3c 43 53 3e c4 da cd OB10</NA><CS>...
0030 f8 3c 2f 43 53 3e 3c 4f 53 3e 57 69 6e 58 50 3c .</CS><OS>WinXP<
0040 2f 4f 53 3e 3c 43 50 55 3e 31 35 39 36 20 4d 48 /OS><CPU>1596 MH
0050 7a 3c 2f 43 50 55 3e 3c 4d 45 4d 3e 32 31 31 4d z</CPU><MEM>211M
0060 42 3c 2f 4d 45 4d 3e 3c 53 50 3e ce de ca d3 c6 B</MEM><SP>.....
0070 b5 3c 2f 53 50 3e 3c 42 5a 3e b1 b8 d7 a2 c4 da .</SP><BZ>......
0080 c8 dd 3c 2f 42 5a 3e ..</BZ>
Interesting html-like tags used. The controller responds with |31 39 0d 0a|. Then in a separate packet pushes back:
0000 59 55 4d 41 54 4f 0d 0a 31 32 33 34 0d 0a 30 30 YUMATO..1234..00
0010 30 0d 0a 0..
And then another packet from the server a |32 31 0d 0a|.
And again from the server:
0000 59 55 4d 41 54 4f 0d 0a 31 32 33 34 0d 0a 30 37 YUMATO..1234..07
0010 30 0d 0a 0d 0a 0....
Then from the server |32 32 0d 0a|.
And on and on. Seems to be keepalive kind of status after this.
Sigs
2007917,
2007918,
2007919 and
2007920 should catch this on any high port.
Re sample 4ee001f20beaeb1bf7bb3335491843c6
--
MattJonkman - 05 Mar 2008