'[Emerging-Sigs] Win32/Chekafe.A'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] Win32/Chekafe.A
From:       jaime.blasco () alienvault ! com (Jaime Blasco)
Date:       2010-07-27 10:11:23
Message-ID: AANLkTi=oN-0YxvEwQUhWzUi96AZEaUFaPLUB4Hjjv41o () mail ! gmail ! com
[Download RAW message or body]

Hi,

Detected checkin pattern for Win32/Chekafe.A:

+----------------------------------+-------------------------------------------------- \
-------------------------------------------------------------------+------------------+
 | binary_id                        |
url
> domain           |
+----------------------------------+-------------------------------------------------- \
-------------------------------------------------------------------+------------------+
 | 89ab8a46b2ead416e42c01000576e6f6 |
/admin/count.php?id=3008&isInst=1&lockcode=-9114&mac=00-00-00-00-00-00&PcType=HomePc&AvName=OtherOrNone&ProCount=24
 | count.eloaz.com  |
> 6b73e1f5520ffc0cbaddde28077ec738 |
/admin/count.php?id=2001&isInst=1&lockcode=2501&mac=00-00-00-00-00-00&PcType=HomePc&AvName=OtherOrNone&ProCount=24
 | vip.eloaz.com    |
> 01918d16e931238aba4ae6633df8ec2e |
/admin/count.php?id=113&isInst=1&lockcode=2501&mac=00-00-00-00-00-00&PcType=HomePc&AvName=OtherOrNone&ProCount=24
 | vip.crwye.cn:81  |
> 8c2c05b2d78bac4e0bb33509ce47038c |
/admin/count.php?id=124&isInst=1&lockcode=2501&mac=00-00-00-00-00-00&PcType=HomePc&AvName=OtherOrNone&ProCount=24
 | 121.12.110.35:81 |
> 1f46e5347a2eeab77ab87b5770075964 |
/admin/count.php?id=124&isInst=1&lockcode=2501&mac=00-00-00-00-00-00&PcType=HomePc&AvName=OtherOrNone&ProCount=24
 | vip.kfc.ha.cn:81 |
+----------------------------------+-------------------------------------------------- \
-------------------------------------------------------------------+------------------+


Proposed sig:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32/Chekafe.A or Related Infection Checkin"; flow:established,to_server;
uricontent:"isInst="; uricontent:"lockcode="; uricontent:"PcType=";
uricontent:"AvName="; uricontent:"ProCount="; classtype:trojan-activity;
reference:url,
www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/Chekafe.A;
 sid:111111111; rev:1;)

Regards

-- 
_______________________________

Jaime Blasco

www.ossim.com
www.alienvault.com
Email: jaime.blasco at alienvault.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100727/70a682fa/attachment.html



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic