[Snort-sigs] ZeroAccess Supernode

Andre DiMino adimino at ...3810...
Fri May 30 11:59:31 EDT 2014


$dayjob has been receiving reports that a few of our hosts are acting as
ZeroAccess 'supernodes'.
Since we have a bunch of ZeroAccess rules enabled, I was wondering why I
didn't see them fire.

It seems that rule sid:23493; rev:5 will fire on outbound traffic
particular to this ZeroAccess incident, however it won't fire on the
inbound traffic.

alert udp $HOME_NET any -> $EXTERNAL_NET [16464,16465,16470,16471]
(msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound communication";
flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4;
metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips
drop, policy security-ips drop; reference:url,
www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/;
classtype:trojan-activity; sid:23493; rev:5; )

So I tweaked the rule as follows to allow for the alerting on inbound
ZeroAccess:

alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471]
(msg:"ZeroAccess Supernode Inbound Traffic"; flow:to_server; dsize:16;
content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red,
policy balanced-ips drop, policy connectivity-ips drop, policy security-ips
drop; classtype:trojan-activity;)

I need to tweak thresholding a bit, but overall it has been working well in
my limited tests.
Any thoughts or comments?

-- 

Andre' M. DiMino
DeepEnd Research
http://deependresearch.org
http://sempersecurus.org

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140530/756dc1bd/attachment.html>


More information about the Snort-sigs mailing list