[Snort-sigs] Question on 26287

James Lay jlay at ...3266...
Tue Apr 2 19:23:40 EDT 2013


On Apr 2, 2013, at 4:47 PM, Joel Esler <jesler at ...435...> wrote:

> On Apr 2, 2013, at 4:16 PM, James Lay <jlay at ...3266...> wrote:
> 
>> Hey all.
>> 
>> Here's the rule:
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
>> Ortega Rootkit outbound connection - search.namequery.com"; 
>> flow:to_server,established; content:" search.namequery.com|0D 0A|"; 
>> fast_pattern:only; http_header; content:"|0D 0A|TagId: "; depth:9; 
>> offset:15; metadata:impact_flag red, policy balanced-ips drop, policy 
>> security-ips drop, ruleset community, service http; 
>> reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; 
>> classtype:trojan-activity; sid:26287; rev:1;)
>> 
>> Any additional info on this?  You didn't hear this from me, but this 
>> fires on Fujitsu Q550 running Windows 7 Professional x86 out of the box 
>> :)
> 
> 
> Here is that rule now (It hasn't been shipped yet)
> 
> # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.absolute.com/en/products/absolute-computrace; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:trojan-activity; sid:26287; rev:3;)
> 
> This is computrace's "laptop lo-jack" software.  I've moved it from MALWARE-CNC to APP-DETECT, changed the message and took it out of the balanced policy.
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire


Awesome…thanks Joel.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130402/5a71406b/attachment.html>


More information about the Snort-sigs mailing list