[Snort-sigs] JoltID

Matthew Jonkman matt at ...2436...
Thu Jul 29 09:52:08 EDT 2004


The malware rules are showing us very interesting things on 
bleedingsnort.com. We've added a number of rules for new spyware we've 
found from the parasite rules, and have more to go.

The eventual goal will probably to learn what we can from the parasite 
rules and then phase them out, highest falses first. They'll move over 
to stable-side though for anyone that wants to continue to use them.

We haven't posted every rule we've added in the last few days, but I 
wanted to put this one out. Trying to figure out the protocol used by 
the JoltID p2p engine that's being left behind by a few adware packages.

alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"BLEEDING-EDGE 
Malware JoltID Agent Keep-Alive"; classtype:trojan-activity; 
reference:url,www.joltid.com; 
reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; 
content:"|4b|"; dsize:1; sid:2001015; rev:1;)

This ought to catch it's keep alive kind of packet that goes out on a 
regular basis. Still looking for a way to figure out what the data is 
that's being redistributed. If you find a machine with this running 
that's not in a sensitive or production area please let it run for a 
while and dump some traffic. There seems to be a lot going on with this 
thing. And we're finding a lot of them.

Thanks

Matt




More information about the Snort-sigs mailing list