[Snort-sigs] Possible trojan rule

Matthew Jonkman matt at ...2436...
Thu Jun 3 07:59:23 EDT 2004


Identified it positively as Virtumonde spyware.

Info available here:
http://sarc.com/avcenter/venc/data/adware.virtumonde.html

Most recent version available here: http://snort.infotex.com

For the life of me I couldn't get it to hit with uricontent. Took a few 
suggestions and even narrowed down the content to siae3123.exe only and 
still nothing. Drop it back to content and it hits every time. If anyone 
can help me understand why I'd appreciate it.

It uses 2 ports so I've added a second rule and adjusted the name.

Working versions:
--------------------
alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Virtumonde Spyware 
siae323.exe GET"; content:"GET /siae3123.exe"; nocase; classtype: 
policy-violation; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; 
sid:2000306; rev:4;)
alert tcp $HOME_NET any -> any 8081 (msg:"BLEEDING-EDGE Virtumonde 
Spyware siae323.exe GET"; content:"GET /siae3123.exe"; nocase; 
classtype: policy-violation; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; 
sid:2000307; rev:1;)
---------------------

Non-working uricontent versions:
----------------------
alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Virtumonde Spyware 
siae323.exe GET"; uricontent:"siae3123.exe"; nocase; classtype: 
policy-violation; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; 
sid:2000306; rev:4;)
alert tcp $HOME_NET any -> any 8081 (msg:"BLEEDING-EDGE Virtumonde 
Spyware siae323.exe GET"; uricontent:"siae3123.exe"; nocase; classtype: 
policy-violation; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; 
sid:2000307; rev:1;)



Hugo van der Kooij wrote:

> On Wed, 2 Jun 2004, Matthew Jonkman wrote:
> 
> 
>>We're finding a number of client machines infected with something. Not
>>sure what it is. The symptom is it downloads
>>
>>http://209.123.150.15/siae3123.exe
> 
> 
> 3 different virus scanners could not find any harm in them. Functions
> called inside:
> 
> 	ExitProcess
> 	Sleep
> 
> Filename referenced:
> 
> 	c:\Projects\Empty\Empty\Release\Empty.pdb
> 
> Various internet pages seem to indicate this as spyware.
> 
> Hugo.
> 

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list