|
|
|
Thursday, 29 May 2008 |
|
Another new one today that's interesting. The Command and Control channel is quite unique.
It starts out with a heavily 00 padded packet that has the username, computername, OS type, and the number 20080101. The server never responds with data. The client then does keepalives that are just 4 byte packets containing "test".
|
|
|
|
|
Thursday, 29 May 2008 |
|
Jeffrey Brown has put in some new signatures from a new command and control channel discovered in a sandnet sample. No name for it yet, and no AV detection at all. Which is very strange as the sample was discovered and submitted to the AV community over a week ago.
MD5 of the sample in question is 50ce9d2bf24db7cc90b7fba99c413d56. And Jeffrey has written signatures 2008245-2008247 to detect the channel.
The trojan was communicating with www dot cikcik dot com. Previously unknown as hostile.
More updates will be posted to the wiki, and we'll get a name on this thing shortly.
Matt
|
|
Last Updated ( Thursday, 10 April 2008 )
|
|
|
|
|
Wednesday, 09 April 2008 |
Some great intelligence shared. Seems that the Bobax spam has some very unique and sig'able message-id fields.
If you block on these you ought to reduce the load on your spam filtering systems significantly. Load ought to be manageable even though it's pcre.
In the first one Bobax has a consistently long and setup message-id. It also uses a lower case d in Id, where the norm is all upper.
Here we have a predictable string in the message id, and the same lowercase d. The trailing info is usually caps
These will change over time of course, but they'll be good for a while. Please let me know how these fare! Be sure to pull sigs from the repository and not here, changes may not be reflected here in the future.
|
|
|
|
