[Snort-sigs] Possible trojan rule

Stark, Vernon L. Vern.Stark at ...2533...
Thu Jun 3 10:36:14 EDT 2004


A complete dump follows.  Note that the following includes conversations
with both remote hosts.

Vern



some.host.1715 -> 209.123.150.14.www over TCP
        <No data>
-----------------------------------------------------------------
209.123.150.14.www -> some.host.1715 over TCP
        <No data>
-----------------------------------------------------------------
some.host.1715 -> 209.123.150.14.www over TCP
        <No data>
-----------------------------------------------------------------
some.host.1715 -> 209.123.150.14.www over TCP
        POST / HTTP/1.1.
        g_Version: 25.
        g_SetID: J`y.
        g_AffiliateID: y.
        g_URL: 8.
        g_Client: .Sf"yG:yGG:JGJ:Nk
%uK.q+,y^ZcSy:n}Iy:P'][HA:On]@8/FQ"`:y:J9GGg)O?BFVO S[VE
yi8.K"9:G:JNGG:yyG98vR"!GG8Z}V"KQxAFf'86Wn"GGGGGkGh#o)]VV=}QQ"/On +]Q GJ
Jy"yh"Gy JGGko=}QQ"/On +]Q GJ Jy"yh"Gy JGGko=}QQp]I"!NofU=}QQOVUv})O?BO?\v']
+]Q G! Gh"yh"Gy JGGkoe;9GGGG>1;!9GGGGG>R;k!JGGGGGo.
        g_ClientGUID: 0`-N=cc-G^-9XK^k`k,^chcG^c-!!,X-y=h,cb.
        g_GZipSupported: U?]O.
        g_UID: jyjjJm[JY|!!cI1Xn[J[INx`w:.
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1).
        Host: virtumonde.com.
        Content-Length: 647.
        Cache-Control: no-cache.
        .

-----------------------------------------------------------------
some.host.1715 -> 209.123.150.14.www over TCP
        )vcv.)v.=) 00 Dcq_ZvD DyGyD b0 Dq*/pZ*cqD DyGyD b0 DrS!_vK)vD DyGGD
b0 DvuclKZD DyGyD b0 Dl.cwucD DJGGD b0 D/clD DyD bg D[HAmOWD DND D!D ig
Dx?}]Hf:x}}xAO:V}ID DyG`D DJD ig DFI[xO-!:Ox][?n:V}ID DyD DyD ig
DfO[?V':'}Qn[V[?f:V}ID DJD DyD ig DfOVmmm:P'][HA:On]D DJGD DkD ig
DUV[H:fU?FEOQOU:Pf:IFAD DND DyD ig Dmmm:V[?I[Y:V}ID DkhD D`D ig
Dmmm:V?~}^VOAA:V}ID D-!D DkD ig Dmmm:xV:]f[[:V}ID DyND D!D ig
Dmmm:'}Qn[:V}ID DGD DyD ig Dmmm:'}Qn[V[?f:V}ID DJGD D!D ig Dmmm:AV:]f[[:V}ID
DyyD D!D ig Dmmm:HVf]HO?V'[?xO?:V}ID DyD DyD ig Dmmm:]f[[:V}ID D-hD DyJD ig
Dmmm:BF[V}?n:V}ID Dy`D D!D ig DYAFIO:}aaO?}HUFIFMO?:V}ID D9D D`D i7^JGGk G9
GJ !!k Gh"yG^Jy"`N^<b
-----------------------------------------------------------------
209.123.150.14.www -> some.host.1715 over TCP
        <No data>
-----------------------------------------------------------------
209.123.150.14.www -> some.host.1715 over TCP
        <No data>
-----------------------------------------------------------------
209.123.150.14.www -> some.host.1715 over TCP
        HTTP/1.1 200 Ok .
        Content-Type: text/html; charset=iso-8859-1.
        Pragma: No-cache.
        Expires: Mon, 26 Jul 1997 05:00:00 GMT.
        Content-Length: 103.
        Connection: close.
        Content-Type: text/html.
        Content-Language: en.
        Date: Thu Jun  3 09:24:20 2004.
        Location: .
        Server: V-Soft/NOYAU/VADV 1.3 builded Jun  2 2004.
        Test:  [B[FA.
        e_Test:  avail.
        e_g_AdCategory:  Some.
        e_g_Date: Thu Jun  3 09:24:20 2004.
        e_g_PopupPerDay:  2.
        e_g_SetIDWas:  Unreleased.
        e_g_StatisticsUploadDelay:  1.
        e_g_UID: $1$$2wa2xH33AmYBda2am8g5G..
        g_AdCategory:  )}IO.
        g_Date: v'] +]Q  ! Gh"Jk"JG JGGk.
        g_MaxCategoryAppearances: .
        g_Popup: U?]O.
        g_PopupPerDay:  J.
        g_SetIDWas:  _Q?OAO[fOn.
        g_StatisticsUploadDelay:  y.
        g_StealFocus: a[AfO.
        g_UID: jyjjJm[JY|!!cI1Xn[J[INx`w:.
        g_URL: 8.
        .
        x..Vpv..p.t.SPrqus..    QRP2R..
        ..      V..R.())...OL).+.O+)O,J./-I.,.K...
        ...d.(q.r.....th(8..x*(i))hr....p?.B.

-----------------------------------------------------------------
some.host.1715 -> 209.123.150.14.www over TCP
        <No data>
-----------------------------------------------------------------
some.host.1715 -> 209.123.150.14.www over TCP
        <No data>
-----------------------------------------------------------------
some.host.1715 -> 209.123.150.14.www over TCP
        <No data>
-----------------------------------------------------------------
209.123.150.14.www -> some.host.1715 over TCP
        <No data>
-----------------------------------------------------------------
some.host.1716 -> 209.123.150.15.www over TCP
        <No data>
-----------------------------------------------------------------
209.123.150.15.www -> some.host.1716 over TCP
        <No data>
-----------------------------------------------------------------
some.host.1716 -> 209.123.150.15.www over TCP
        <No data>
-----------------------------------------------------------------
some.host.1716 -> 209.123.150.15.www over TCP
        GET /siae3123.exe HTTP/1.1.
        If-Modified-Since: Tue, 01 Jun 2004 15:16:43 GMT.
        If-None-Match: "3ee414-800-40bc9ddb".
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1).
        Host: updates.virtumonde.com.
        .

-----------------------------------------------------------------
209.123.150.15.www -> some.host.1716 over TCP
        HTTP/1.1 304 Not Modified.
        Date: Thu, 03 Jun 2004 13:18:56 GMT.
        Server: Apache/1.3.29 (Unix).
        Connection: close.
        ETag: "3ee414-800-40bc9ddb".
        .

-----------------------------------------------------------------
209.123.150.15.www -> some.host.1716 over TCP
        <No data>
-----------------------------------------------------------------
some.host.1716 -> 209.123.150.15.www over TCP
        <No data>
-----------------------------------------------------------------
some.host.1716 -> 209.123.150.15.www over TCP
        <No data>
-----------------------------------------------------------------
209.123.150.15.www -> some.host.1716 over TCP
        <No data>


And the version without content in case it's of interest:

09:18:55.932367 some.host.1715 > 209.123.150.14.80: S
2593732747:2593732747(0) win 64240 <mss 1380,nop,nop,sackOK> (DF)
09:18:55.958243 209.123.150.14.80 > some.host.1715: S 669120333:669120333(0)
ack 2593732748 win 65535 <mss 1460> (DF)
09:18:55.981545 some.host.1715 > 209.123.150.14.80: . ack 1 win 64860 (DF)
09:18:55.986439 some.host.1715 > 209.123.150.14.80: P 1:608(607) ack 1 win
64860 (DF)
09:18:55.989483 some.host.1715 > 209.123.150.14.80: P 608:1255(647) ack 1
win 64860 (DF)
09:18:56.015623 209.123.150.14.80 > some.host.1715: . ack 1255 win 65535
(DF)
09:18:56.018346 209.123.150.14.80 > some.host.1715: F 853:853(0) ack 1255
win 65535 (DF)
09:18:56.018809 209.123.150.14.80 > some.host.1715: P 1:853(852) ack 1255
win 65535 (DF)
09:18:56.055276 some.host.1715 > 209.123.150.14.80: . ack 1 win 64860 (DF)
09:18:56.068691 some.host.1715 > 209.123.150.14.80: . ack 854 win 64008 (DF)
09:18:56.069799 some.host.1715 > 209.123.150.14.80: F 1255:1255(0) ack 854
win 64008 (DF)
09:18:56.095513 209.123.150.14.80 > some.host.1715: . ack 1256 win 65535
(DF)
09:18:56.239589 some.host.1716 > 209.123.150.15.80: S
4288027881:4288027881(0) win 64240 <mss 1380,nop,nop,sackOK> (DF)
09:18:56.265628 209.123.150.15.80 > some.host.1716: S
2702138156:2702138156(0) ack 4288027882 win 65535 <mss 1460> (DF)
09:18:56.294470 some.host.1716 > 209.123.150.15.80: . ack 1 win 64860 (DF)
09:18:56.298757 some.host.1716 > 209.123.150.15.80: P 1:213(212) ack 1 win
64860 (DF)
09:18:56.324624 209.123.150.15.80 > some.host.1716: P 1:145(144) ack 213 win
65535 (DF)
09:18:56.324632 209.123.150.15.80 > some.host.1716: F 145:145(0) ack 213 win
65535 (DF)
09:18:56.349323 some.host.1716 > 209.123.150.15.80: F 213:213(0) ack 145 win
64716 (DF)
09:18:56.350239 some.host.1716 > 209.123.150.15.80: . ack 146 win 64716 (DF)
09:18:56.380670 209.123.150.15.80 > some.host.1716: F 145:145(0) ack 214 win
65535 (DF)


-----Original Message-----
From: Matthew Jonkman [mailto:matt at ...2436...]
Sent: Thursday, June 03, 2004 12:16 PM
To: Stark, Vernon L.
Cc: 'snort-sigs at lists.sourceforge.net'
Subject: Re: [Snort-sigs] Possible trojan rule


Do you have a dump of that post of info?  I cleaned my infected ones but 
would like to write a rule to catch that as well.

The rules to catch the updates are dependant on them using the same file 
name, and thus probably won't last long.

Thanks. Nice catch.

Matt

Stark, Vernon L. wrote:

> In addition to retrieving an executable from 209.123.150.15, this malware
> may be generating pop-up adds and sending at least statisical information
to
> virtumonde.com (209.123.150.14).  Content exchanged with 209.123.150.14
> includes:
> 
> e_g_AdCategory:  Some
> e_g_PopupPerDay:  2
> e_g_StatisticsUploadDelay:  1
> g_Popup: U?]O
> g_PopupPerDay:  J
> g_StatisticsUploadDelay:  y
> g_StealFocus: a[AfO
> g_UID: jyjjJm[JY|!!cI1Xn[J[INx`w:
> g_URL: 8
> 
> Vern
> 




More information about the Snort-sigs mailing list