[Snort-sigs] FP on "BOTNET-CNC Trojan.Ransom variant outbound connection"

Jason Haar Jason_Haar at ...3686...
Sun May 27 00:39:37 EDT 2012


We had a hit on this - but I don't think it's real? It was a POST (via
our proxy)  to pnrws.skype.com that had a Referer of
"res://ieframe.dll/tabswelcome.htm". The User-Agent was "Internet
Explorer" - which means it wasn't - so I'm guessing this was triggered
by some Skype installer script using a fake User-Agent for whatever reason?

I can get you the PCAP if you want, but the text is

000 : 50 4F 53 54 20 68 74 74 70 3A 2F 2F 70 6E 72 77   POST http://pnrw
010 : 73 2E 73 6B 79 70 65 2E 63 6F 6D 2F 61 70 69 2F   s.skype.com/api/
020 : 76 31 2E 30 2F 70 6E 72 3F 6C 61 6E 67 75 61 67   v1.0/pnr?languag
030 : 65 3D 45 4E 26 70 6C 75 67 69 6E 3D 49 45 54 42   e=EN&plugin=IETB
040 : 2F 35 2E 33 2E 30 2E 37 35 35 30 20 48 54 54 50   /5.3.0.7550 HTTP
050 : 2F 31 2E 31 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79   /1.1..Content-Ty
060 : 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F   pe: application/
070 : 78 2D 77 77 77 2D 66 6F 72 6D 2D 75 72 6C 65 6E   x-www-form-urlen
080 : 63 6F 64 65 64 0D 0A 52 65 66 65 72 65 72 3A 20   coded..Referer:
090 : 72 65 73 3A 2F 2F 69 65 66 72 61 6D 65 2E 64 6C   res://ieframe.dl
0a0 : 6C 2F 74 61 62 73 77 65 6C 63 6F 6D 65 2E 68 74   l/tabswelcome.ht
0b0 : 6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 49   m..User-Agent: I
0c0 : 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72   nternet Explorer
0d0 : 0D 0A 48 6F 73 74 3A 20 70 6E 72 77 73 2E 73 6B   ..Host: pnrws.sk
0e0 : 79 70 65 2E 63 6F 6D 0D 0A 43 6F 6E 74 65 6E 74   ype.com..Content
0f0 : 2D 4C 65 6E 67 74 68 3A 20 31 33 0D 0A 50 72 61   -Length: 13..Pra
100 : 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 0D   gma: no-cache...
110 : 0A 71 3D 31 39 33 37 32 34 35 35 33 38 35         .q=19372455385

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-sigs mailing list