[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] FP in 2007591 (Win32 Agent.ALT C&C Checkin)
From: jonkman () jonkmans ! com (Matt Jonkman)
Date: 2008-02-29 22:52:01
Message-ID: 47C88C91.9000207 () jonkmans ! com
[Download RAW message or body]
Hi Jonathan. Appreciate the report. Responses inline:
Jonathan Scheidell wrote:
> Current content looks for ?|00 01|? but reference refers to content as
> being ?|00 01 e4 8a 1a|? (for the 10 byte payload).
> http://doc.emergingthreats.net/bin/view/Main/Win32AgentALT
>
> FP we got had content of ?|00 01 00 00 02 02 44 01 00 3B|? with a
> payload size of 10 bytes total.
>
> Maybe enhance the current SID content match from ?|00 01|?, to ?|00 01
> e4 8a 1a|?, which I think is the payload for the actual virus when it
> has a 10byte payload.
I agree here. I've compared many samples old and new and this holds
true. We can expand this sid, and I'll do so.
>
> This would also affect the following SIDs:
> 2007588 (change ?|00 02|? to ?|00 02 5e 3b 5a 86 b9 05|?)
> 2007589 (change ?|00 03|? to ?|00 03 b9 70 cb 70|?)
> 2007590 (change ?|00 04|? to ?|00 04 0f 9a|?)
>
These unfortunately don't hold true. Past the 00 0x the rest of the
packet is not consistent. Those vary by every sample we have.
Will update, please let me know if you get more falses!
Matt
> Thoughts?
>
> --
> Jon Scheidell
>>|SECNAP Network Security
>
>
>
> ------------------------------------------------------------------------
> This email has been scanned and certified safe by SpammerTrap?.
> For Information please see www.spammertrap.com <http://www.spammertrap.com>
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic