[Snort-sigs] Doing the KanKan

Joel Esler jesler at ...435...
Fri Oct 11 19:34:49 EDT 2013


Thanks James. Is sent this over to Carlos on our team to take a look. 


--
Joel Esler
Sent from my iPad

> On Oct 11, 2013, at 6:43 PM, James Lay <jlay at ...3266...> wrote:
> 
> Looks like it's gone down in usage, but didn't see anything in the 
> current rulesets:
> 
> alert udp any any -> any 53 (msg:"MALWARE-OTHER Win32.KanKan stat 
> server DNS lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 
> 00|"; depth:10; offset:2; 
> content:"|07|kkyouxi|04|stat|06|kankan|03|com"; fast_pattern:only; 
> metadata:policy balanced-ips drop, policy security-ips drop, service 
> dns, ruleset community; 
> reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
> classtype:trojan-activity; sid:10000102; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"MALWARE-OTHER Win32.KanKan officeaddinupdate download"; 
> flow:to_server,established; content:"|2f|officeaddinupdate.xml"; 
> http_uri; fast_pattern:only; content:"Host:|20|update.kklm.n0808.com"; 
> http_header; metadata:policy balanced-ips drop, policy security-ips 
> drop, service http, ruleset community; 
> reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
> classtype:trojan-activity; sid:10000103; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"MALWARE-OTHER Win32.KanKan tools.ini download"; 
> flow:to_server,established; content:"|2f|tools.ini"; http_uri; 
> fast_pattern:only; content:"Host:|20|conf.kklm.n0808.com"; http_header; 
> metadata:policy balanced-ips drop, policy security-ips drop, service 
> http, ruleset community; 
> reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
> classtype:trojan-activity; sid:10000104; rev:1;)
> 
> From the link:  "In this case the installer begins by contacting the 
> hard-coded domain kkyouxi.stat.kankan.com to report the initiation of 
> the installation." which doesn't tell me exactly how, or what URI so I 
> DNS'd it instead.  Betting these won't be useful for long, but maybe it 
> will help someone.
> 
> James
> 
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list