[Snort-sigs] Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset)

Joel Esler jesler at ...435...
Mon Oct 7 14:53:29 EDT 2013


On Oct 7, 2013, at 9:19 AM, nicenate at ...3844... wrote:
> Reply by Nathan to both Jeff and Joel:
> 
> Joel, thanks so much for sharing VRT information, as "you all" are the best source for these things. Much appreciated, both the work on the rule sets, taking the time to share publicly information, and most specially in this time of transition for this once Sourcefire group continuing your public presence. THANKS!!  

Thank you.

> Be a user of snort and VRT for over a decade and visited a few of the Sourcefire presentations at the SANS.  Was glad you all did not go to Israel; but for now ... not so sure....  
> 
> Certainly hope that the work with Cisco proves valuable, useful and also specially that the work with snort and the excellent VRT rule sets is able to continue to "everyone's" mutual ... success!!!

More information will be coming very soon.  We are excited about the future and the things that are going to come out of the acquisition.  As I said, more information will be coming very soon.

> About this issue:  This rule alert firing and we can not figure out the what, why, etc.
> 
> Joel:  If I understand your comment correctly this rule is considered "still current" and also that your group believes this is at least often if not always the result of 'malware communications' because of current sandbox activity, correct?  

Correct.  A piece of malware, specifically this one:
https://www.virustotal.com/en/file/D80754043A7A5C10D1B425403BAFCBDFCB014112F638635F4D3036444FFBB3A5/analysis/

Came through our sandbox and exhibited these characteristics.  We did not have coverage for this vector, so coverage was provided.  So, yes, it’s a new rule.

> <snip>

> We have not seen on the I any new information about what is causing the RST ACKs with this unusual and unique "reset cause" phrase.  No attempt to hide here....
> 
> Can you share what this communication may be the result of?

See above.

> Is it still thought of as part of the 'old' Storm P2P communications which "is still active"?
> 
> Part of a newer P2P bot net?
> 
> Or is this part of newer bot/trojan codes?

Investigation is always ongoing!


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131007/a2335f84/attachment.html>


More information about the Snort-sigs mailing list