[Snort-users] winhe800 trjoan

Joel Esler jesler at ...1935...
Fri Aug 19 14:01:56 EDT 2011


Crusty,

This is a noisy one, so I put some thresholds in the icmp and udp based rules.

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"BOTNET-CNC Trojan Win32.Yoddos.A outbound indicator"; itype:8; icode:0; content:"YYYYYYYYYYYYYYYYYYYYYYYYYYYY"; threshold:type both, track by_src, count 1, seconds 60; classtype:trojan-activity; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"BOTNET-CNC Trojan Win32.Yoddos.A outbound connection"; dsize:210; content:"|ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea|"; fast_pattern:only; threshold:type both, track by_src, count 1, seconds 60; classtype:trojan-activity; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"BOTNET-CNC Trojan Win32.Yoddos.A outbound connection"; dsize:112; content:"|9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c 9c|"; fast_pattern:only; threshold:type both, track by_src, count 1, seconds 60; classtype:trojan-activity; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 800.sxzyong.com"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|800|07|sxzyong|03|com"; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426; classtype:trojan-activity;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 801.sxzyong.com"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|801|07|sxzyong|03|com"; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426; classtype:trojan-activity;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 802.sxzyong.com"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|802|07|sxzyong|03|com"; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426; classtype:trojan-activity;)

We'll try and get these out in the next rule pack.

Joel


On Aug 19, 2011, at 6:40 AM, Crusty Saint wrote:

> Hi,
> 
> I've just come across a machine which has been repeatedly infected with a more or less recent Trojan recognisable by the winhe800.exe filename.
> 
> Little information exists and is not 100% consistent. Evidence was deleted by over zealous admin so i cannot simply try and build a custom rule for this.
> 
> Anyone out there having a resource or rule available for usage ? I've found reference to dropper but no usefull sig in the ruleset(s). Also no usefull result in threatexpert, virustotal or others.
> 
> No specific rule for winhe800.exe etc.
> 
> Resources 
> 
> ( only works from webcache )  http://webcache.googleusercontent.com/search?q=cache:HvFwmWx3I2EJ:xml.ssdsandbox.net/view/bf7b927f7e737a49cb46c25a447fa254+winhe800+url&cd=3&hl=nl&ct=clnk&gl=nl&source=www.google.nl
> 
> http://home.mcafee.com/virusinfo/virusprofile.aspx?key=556848#none
> http://vil.nai.com/vil/content/v_472810.htm
> 
> http://download.globalhauri.com/customer/security/virus_view.html?intSeq=2251&page=14&keyfield=&key=&SelectPart=
> http://www.hauri.co.kr/customer/security/virus_view.html?intSeq=2251&page=12&keyfield=&key=&SelectPart=1
> 
> 
> Best Regards,
> 
> S.C.
> 
> -- 
> - - -
> Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list
> 
> ------------------------------------------------------------------------------
> Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
> user administration capabilities and model configuration. Take 
> the hassle out of deploying and managing Subversion and the 
> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110819/bf27c902/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4795 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110819/bf27c902/attachment.bin>


More information about the Snort-users mailing list