We're catching all sorts of interesting stuff in the sandnet these days, as you can see in the sigs going out each day. But had a particularly interesting one today. Robert Kerr caught it using port 53 outbound to do it's initial checkin via http.
Rather than a specific sig for this exact url we've gone with some sigs for any http get or post on port 53:
alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN HTTP GET Request on port 53 -- Very Likely Hostile"; flow:established,to_server; content:"GET "; nocase; depth:4; classtype:trojan-activity; sid:2008420; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN HTTP POST Request on port 53 -- Very Likely Hostile"; flow:established,to_server; content:"POST "; nocase; depth:5; classtype:trojan-activity; sid:2008421; rev:1;)
Just an interesting one. For reference, the md5 is 0853fa768e3e9a3dff293676d68b3d1b, Kaspersky and most others call it some form of Trojan-Downloader.Win32.Agent.qpv.
Matt
| < Prev | Next > |
|---|
