[Snort-sigs] Doing the KanKan

James Lay jlay at ...3266...
Fri Oct 11 18:43:56 EDT 2013


Looks like it's gone down in usage, but didn't see anything in the 
current rulesets:

alert udp any any -> any 53 (msg:"MALWARE-OTHER Win32.KanKan stat 
server DNS lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 
00|"; depth:10; offset:2; 
content:"|07|kkyouxi|04|stat|06|kankan|03|com"; fast_pattern:only; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
dns, ruleset community; 
reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
classtype:trojan-activity; sid:10000102; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-OTHER Win32.KanKan officeaddinupdate download"; 
flow:to_server,established; content:"|2f|officeaddinupdate.xml"; 
http_uri; fast_pattern:only; content:"Host:|20|update.kklm.n0808.com"; 
http_header; metadata:policy balanced-ips drop, policy security-ips 
drop, service http, ruleset community; 
reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
classtype:trojan-activity; sid:10000103; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-OTHER Win32.KanKan tools.ini download"; 
flow:to_server,established; content:"|2f|tools.ini"; http_uri; 
fast_pattern:only; content:"Host:|20|conf.kklm.n0808.com"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http, ruleset community; 
reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
classtype:trojan-activity; sid:10000104; rev:1;)

 From the link:  "In this case the installer begins by contacting the 
hard-coded domain kkyouxi.stat.kankan.com to report the initiation of 
the installation." which doesn't tell me exactly how, or what URI so I 
DNS'd it instead.  Betting these won't be useful for long, but maybe it 
will help someone.

James




More information about the Snort-sigs mailing list