[Snort-sigs] Question on 26287

Joel Esler jesler at ...435...
Tue Apr 2 18:47:01 EDT 2013


On Apr 2, 2013, at 4:16 PM, James Lay <jlay at ...3266...> wrote:

> Hey all.
> 
> Here's the rule:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> Ortega Rootkit outbound connection - search.namequery.com"; 
> flow:to_server,established; content:" search.namequery.com|0D 0A|"; 
> fast_pattern:only; http_header; content:"|0D 0A|TagId: "; depth:9; 
> offset:15; metadata:impact_flag red, policy balanced-ips drop, policy 
> security-ips drop, ruleset community, service http; 
> reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; 
> classtype:trojan-activity; sid:26287; rev:1;)
> 
> Any additional info on this?  You didn't hear this from me, but this 
> fires on Fujitsu Q550 running Windows 7 Professional x86 out of the box 
> :)


Here is that rule now (It hasn't been shipped yet)

# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.absolute.com/en/products/absolute-computrace; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:trojan-activity; sid:26287; rev:3;)

This is computrace's "laptop lo-jack" software.  I've moved it from MALWARE-CNC to APP-DETECT, changed the message and took it out of the balanced policy.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130402/0b0124cf/attachment.html>


More information about the Snort-sigs mailing list