[Snort-sigs] no documentation about some rules
Joel Esler (jesler)
jesler at ...3865...
Fri Aug 29 08:43:03 EDT 2014
On Aug 29, 2014, at 5:21 AM, Maurizio Di Pietro (Esterna) <m.dipietro at ...3945...44...> wrote:
> I looking for on virustotal also, for example the event 23493 (Win.trojan.zeroAccess) but I’d like understand why the rule searches the 4 bytes (28,94,8d,ab) from fifth to eighth byte
> I didn’t understand the rule. Does the malware contact the C&C by UDP on port 16464 and send these bytes?
Yes. 16464 is just one of the four ports that Zeroaccess communicates with it’s P2P network on:
It’s an XOR’ed “getL” command, the command to update it’s internal P2P list. The value is static.
> What does it work? This is very important to understand if is a false positive
We’ve never seen a false positive from Zeroaccess rules. If you have a machine in HOME_NET that is exhibiting this traffic, you’re infected.
Open Source Manager
Threat Intelligence Team Lead
More information about the Snort-sigs