[Snort-sigs] Possible trojan rule

Matthew Jonkman matt at ...2436...
Thu Jun 3 12:28:13 EDT 2004


I think this will be specific enough to not hit many false positives.

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Virtumonde Spyware 
Information Post"; uricontent:"POST /"; nocase; 
content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; 
nocase; content:"virtumonde.com"; classtype: policy-violation; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; 
sid:2000307; rev:1;)

It's in the bleeding set, no falses yet...

Matt

Stark, Vernon L. wrote:

> A complete dump follows.  Note that the following includes conversations
> with both remote hosts.
> 
> Vern
> 
> 
> 
> some.host.1715 -> 209.123.150.14.www over TCP
>         <No data>
> -----------------------------------------------------------------
> 209.123.150.14.www -> some.host.1715 over TCP
>         <No data>
> -----------------------------------------------------------------
> some.host.1715 -> 209.123.150.14.www over TCP
>         <No data>
> -----------------------------------------------------------------
> some.host.1715 -> 209.123.150.14.www over TCP
>         POST / HTTP/1.1.
>         g_Version: 25.
>         g_SetID: J`y.
>         g_AffiliateID: y.
>         g_URL: 8.
>         g_Client: .Sf"yG:yGG:JGJ:Nk
> %uK.q+,y^ZcSy:n}Iy:P'][HA:On]@8/FQ"`:y:J9GGg)O?BFVO S[VE
> yi8.K"9:G:JNGG:yyG98vR"!GG8Z}V"KQxAFf'86Wn"GGGGGkGh#o)]VV=}QQ"/On +]Q GJ
> Jy"yh"Gy JGGko=}QQ"/On +]Q GJ Jy"yh"Gy JGGko=}QQp]I"!NofU=}QQOVUv})O?BO?\v']
> +]Q G! Gh"yh"Gy JGGkoe;9GGGG>1;!9GGGGG>R;k!JGGGGGo.
>         g_ClientGUID: 0`-N=cc-G^-9XK^k`k,^chcG^c-!!,X-y=h,cb.
>         g_GZipSupported: U?]O.
>         g_UID: jyjjJm[JY|!!cI1Xn[J[INx`w:.
>         User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1).
>         Host: virtumonde.com.
>         Content-Length: 647.
>         Cache-Control: no-cache.
>         .
> 
> -----------------------------------------------------------------
> some.host.1715 -> 209.123.150.14.www over TCP
>         )vcv.)v.=) 00 Dcq_ZvD DyGyD b0 Dq*/pZ*cqD DyGyD b0 DrS!_vK)vD DyGGD
> b0 DvuclKZD DyGyD b0 Dl.cwucD DJGGD b0 D/clD DyD bg D[HAmOWD DND D!D ig
> Dx?}]Hf:x}}xAO:V}ID DyG`D DJD ig DFI[xO-!:Ox][?n:V}ID DyD DyD ig
> DfO[?V':'}Qn[V[?f:V}ID DJD DyD ig DfOVmmm:P'][HA:On]D DJGD DkD ig
> DUV[H:fU?FEOQOU:Pf:IFAD DND DyD ig Dmmm:V[?I[Y:V}ID DkhD D`D ig
> Dmmm:V?~}^VOAA:V}ID D-!D DkD ig Dmmm:xV:]f[[:V}ID DyND D!D ig
> Dmmm:'}Qn[:V}ID DGD DyD ig Dmmm:'}Qn[V[?f:V}ID DJGD D!D ig Dmmm:AV:]f[[:V}ID
> DyyD D!D ig Dmmm:HVf]HO?V'[?xO?:V}ID DyD DyD ig Dmmm:]f[[:V}ID D-hD DyJD ig
> Dmmm:BF[V}?n:V}ID Dy`D D!D ig DYAFIO:}aaO?}HUFIFMO?:V}ID D9D D`D i7^JGGk G9
> GJ !!k Gh"yG^Jy"`N^<b
> -----------------------------------------------------------------
> 209.123.150.14.www -> some.host.1715 over TCP
>         <No data>
> -----------------------------------------------------------------
> 209.123.150.14.www -> some.host.1715 over TCP
>         <No data>
> -----------------------------------------------------------------
> 209.123.150.14.www -> some.host.1715 over TCP
>         HTTP/1.1 200 Ok .
>         Content-Type: text/html; charset=iso-8859-1.
>         Pragma: No-cache.
>         Expires: Mon, 26 Jul 1997 05:00:00 GMT.
>         Content-Length: 103.
>         Connection: close.
>         Content-Type: text/html.
>         Content-Language: en.
>         Date: Thu Jun  3 09:24:20 2004.
>         Location: .
>         Server: V-Soft/NOYAU/VADV 1.3 builded Jun  2 2004.
>         Test:  [B[FA.
>         e_Test:  avail.
>         e_g_AdCategory:  Some.
>         e_g_Date: Thu Jun  3 09:24:20 2004.
>         e_g_PopupPerDay:  2.
>         e_g_SetIDWas:  Unreleased.
>         e_g_StatisticsUploadDelay:  1.
>         e_g_UID: $1$$2wa2xH33AmYBda2am8g5G..
>         g_AdCategory:  )}IO.
>         g_Date: v'] +]Q  ! Gh"Jk"JG JGGk.
>         g_MaxCategoryAppearances: .
>         g_Popup: U?]O.
>         g_PopupPerDay:  J.
>         g_SetIDWas:  _Q?OAO[fOn.
>         g_StatisticsUploadDelay:  y.
>         g_StealFocus: a[AfO.
>         g_UID: jyjjJm[JY|!!cI1Xn[J[INx`w:.
>         g_URL: 8.
>         .
>         x..Vpv..p.t.SPrqus..    QRP2R..
>         ..      V..R.())...OL).+.O+)O,J./-I.,.K...
>         ...d.(q.r.....th(8..x*(i))hr....p?.B.
> 
> -----------------------------------------------------------------
> some.host.1715 -> 209.123.150.14.www over TCP
>         <No data>
> -----------------------------------------------------------------
> some.host.1715 -> 209.123.150.14.www over TCP
>         <No data>
> -----------------------------------------------------------------
> some.host.1715 -> 209.123.150.14.www over TCP
>         <No data>
> -----------------------------------------------------------------
> 209.123.150.14.www -> some.host.1715 over TCP
>         <No data>
> -----------------------------------------------------------------
> some.host.1716 -> 209.123.150.15.www over TCP
>         <No data>
> -----------------------------------------------------------------
> 209.123.150.15.www -> some.host.1716 over TCP
>         <No data>
> -----------------------------------------------------------------
> some.host.1716 -> 209.123.150.15.www over TCP
>         <No data>
> -----------------------------------------------------------------
> some.host.1716 -> 209.123.150.15.www over TCP
>         GET /siae3123.exe HTTP/1.1.
>         If-Modified-Since: Tue, 01 Jun 2004 15:16:43 GMT.
>         If-None-Match: "3ee414-800-40bc9ddb".
>         User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1).
>         Host: updates.virtumonde.com.
>         .
> 
> -----------------------------------------------------------------
> 209.123.150.15.www -> some.host.1716 over TCP
>         HTTP/1.1 304 Not Modified.
>         Date: Thu, 03 Jun 2004 13:18:56 GMT.
>         Server: Apache/1.3.29 (Unix).
>         Connection: close.
>         ETag: "3ee414-800-40bc9ddb".
>         .
> 
> -----------------------------------------------------------------
> 209.123.150.15.www -> some.host.1716 over TCP
>         <No data>
> -----------------------------------------------------------------
> some.host.1716 -> 209.123.150.15.www over TCP
>         <No data>
> -----------------------------------------------------------------
> some.host.1716 -> 209.123.150.15.www over TCP
>         <No data>
> -----------------------------------------------------------------
> 209.123.150.15.www -> some.host.1716 over TCP
>         <No data>
> 
> 
> And the version without content in case it's of interest:
> 
> 09:18:55.932367 some.host.1715 > 209.123.150.14.80: S
> 2593732747:2593732747(0) win 64240 <mss 1380,nop,nop,sackOK> (DF)
> 09:18:55.958243 209.123.150.14.80 > some.host.1715: S 669120333:669120333(0)
> ack 2593732748 win 65535 <mss 1460> (DF)
> 09:18:55.981545 some.host.1715 > 209.123.150.14.80: . ack 1 win 64860 (DF)
> 09:18:55.986439 some.host.1715 > 209.123.150.14.80: P 1:608(607) ack 1 win
> 64860 (DF)
> 09:18:55.989483 some.host.1715 > 209.123.150.14.80: P 608:1255(647) ack 1
> win 64860 (DF)
> 09:18:56.015623 209.123.150.14.80 > some.host.1715: . ack 1255 win 65535
> (DF)
> 09:18:56.018346 209.123.150.14.80 > some.host.1715: F 853:853(0) ack 1255
> win 65535 (DF)
> 09:18:56.018809 209.123.150.14.80 > some.host.1715: P 1:853(852) ack 1255
> win 65535 (DF)
> 09:18:56.055276 some.host.1715 > 209.123.150.14.80: . ack 1 win 64860 (DF)
> 09:18:56.068691 some.host.1715 > 209.123.150.14.80: . ack 854 win 64008 (DF)
> 09:18:56.069799 some.host.1715 > 209.123.150.14.80: F 1255:1255(0) ack 854
> win 64008 (DF)
> 09:18:56.095513 209.123.150.14.80 > some.host.1715: . ack 1256 win 65535
> (DF)
> 09:18:56.239589 some.host.1716 > 209.123.150.15.80: S
> 4288027881:4288027881(0) win 64240 <mss 1380,nop,nop,sackOK> (DF)
> 09:18:56.265628 209.123.150.15.80 > some.host.1716: S
> 2702138156:2702138156(0) ack 4288027882 win 65535 <mss 1460> (DF)
> 09:18:56.294470 some.host.1716 > 209.123.150.15.80: . ack 1 win 64860 (DF)
> 09:18:56.298757 some.host.1716 > 209.123.150.15.80: P 1:213(212) ack 1 win
> 64860 (DF)
> 09:18:56.324624 209.123.150.15.80 > some.host.1716: P 1:145(144) ack 213 win
> 65535 (DF)
> 09:18:56.324632 209.123.150.15.80 > some.host.1716: F 145:145(0) ack 213 win
> 65535 (DF)
> 09:18:56.349323 some.host.1716 > 209.123.150.15.80: F 213:213(0) ack 145 win
> 64716 (DF)
> 09:18:56.350239 some.host.1716 > 209.123.150.15.80: . ack 146 win 64716 (DF)
> 09:18:56.380670 209.123.150.15.80 > some.host.1716: F 145:145(0) ack 214 win
> 65535 (DF)
> 
> 
> -----Original Message-----
> From: Matthew Jonkman [mailto:matt at ...2436...]
> Sent: Thursday, June 03, 2004 12:16 PM
> To: Stark, Vernon L.
> Cc: 'snort-sigs at lists.sourceforge.net'
> Subject: Re: [Snort-sigs] Possible trojan rule
> 
> 
> Do you have a dump of that post of info?  I cleaned my infected ones but 
> would like to write a rule to catch that as well.
> 
> The rules to catch the updates are dependant on them using the same file 
> name, and thus probably won't last long.
> 
> Thanks. Nice catch.
> 
> Matt
> 
> Stark, Vernon L. wrote:
> 
> 
>>In addition to retrieving an executable from 209.123.150.15, this malware
>>may be generating pop-up adds and sending at least statisical information
> 
> to
> 
>>virtumonde.com (209.123.150.14).  Content exchanged with 209.123.150.14
>>includes:
>>
>>e_g_AdCategory:  Some
>>e_g_PopupPerDay:  2
>>e_g_StatisticsUploadDelay:  1
>>g_Popup: U?]O
>>g_PopupPerDay:  J
>>g_StatisticsUploadDelay:  y
>>g_StealFocus: a[AfO
>>g_UID: jyjjJm[JY|!!cI1Xn[J[INx`w:
>>g_URL: 8
>>
>>Vern
>>
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the new InstallShield X.
> From Windows to Linux, servers to mobile, InstallShield X is the one
> installation-authoring solution that does it all. Learn more and
> evaluate today! http://www.installshield.com/Dev2Dev/0504
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list