[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bleeding-sigs
Subject:    [Bleeding-sigs] Warezov Sigs
From:       Matt Jonkman <jonkman () bleedingthreats ! net>
Date:       2006-11-14 20:38:17
Message-ID: 455A2939.6050407 () bleedingthreats ! net
[Download RAW message or body]

Playing with a few samples, saw it make a connection that doesn't seem
to be documented in other analysis' of the trojan. These sigs catch it,
but I'm not sure what it is. Frankly, don't care what it is, as long as
we see it. :)

#Experimental, may only apply to a few variants, but worth testing
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"JONKMAN Warezov
Challenge TEST"; flow:established,to_server; dsize:1; content:"|3
8|"; flowbits:noalert; flowbits:set,BEposs.warezov.challenge;
classtype:not-suspicious; sid:2003175; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JONKMAN Warezov
Challenge Response TEST"; flowbits:isset,BEposs.warezov.challenge
; flow:established,from_server; dsize:4; content:"|00 00 00 00|";
classtype:trojan-activity; sid:2003176; rev:1;)

Please report experience with it. And if you have any older warezov
samples, either shoot them over or test them with these running.

Matt

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]