[Snort-sigs] no documentation about some rules

Joel Esler (jesler) jesler at ...3865...
Fri Aug 29 08:43:03 EDT 2014

On Aug 29, 2014, at 5:21 AM, Maurizio Di Pietro (Esterna) <m.dipietro at ...3945...44...> wrote:
> I looking for on virustotal also,  for example the event 23493 (Win.trojan.zeroAccess) but I’d like understand why the rule searches the 4 bytes (28,94,8d,ab) from fifth to eighth byte
> I didn’t understand the rule. Does the malware contact the C&C by UDP on port 16464 and send these bytes?

Yes.  16464 is just one of the four ports that Zeroaccess communicates with it’s P2P network on:

> Why?

It’s an XOR’ed “getL” command, the command to update it’s internal P2P list.  The value is static.

> What does it work? This is very important to understand if is a false positive

We’ve never seen a false positive from Zeroaccess rules.  If you have a machine in HOME_NET that is exhibiting this traffic, you’re infected.

Joel Esler
Open Source Manager
Threat Intelligence Team Lead

More information about the Snort-sigs mailing list