matt at ...2436...
Thu Jul 29 09:52:08 EDT 2004
The malware rules are showing us very interesting things on
bleedingsnort.com. We've added a number of rules for new spyware we've
found from the parasite rules, and have more to go.
The eventual goal will probably to learn what we can from the parasite
rules and then phase them out, highest falses first. They'll move over
to stable-side though for anyone that wants to continue to use them.
We haven't posted every rule we've added in the last few days, but I
wanted to put this one out. Trying to figure out the protocol used by
the JoltID p2p engine that's being left behind by a few adware packages.
alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"BLEEDING-EDGE
Malware JoltID Agent Keep-Alive"; classtype:trojan-activity;
content:"|4b|"; dsize:1; sid:2001015; rev:1;)
This ought to catch it's keep alive kind of packet that goes out on a
regular basis. Still looking for a way to figure out what the data is
that's being redistributed. If you find a machine with this running
that's not in a sensitive or production area please let it run for a
while and dump some traffic. There seems to be a lot going on with this
thing. And we're finding a lot of them.
More information about the Snort-sigs