[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Win32/Chekafe.A
From: jaime.blasco () alienvault ! com (Jaime Blasco)
Date: 2010-07-27 10:11:23
Message-ID: AANLkTi=oN-0YxvEwQUhWzUi96AZEaUFaPLUB4Hjjv41o () mail ! gmail ! com
[Download RAW message or body]
Hi,
Detected checkin pattern for Win32/Chekafe.A:
+----------------------------------+-------------------------------------------------- \
-------------------------------------------------------------------+------------------+
| binary_id |
url
> domain |
+----------------------------------+-------------------------------------------------- \
-------------------------------------------------------------------+------------------+
| 89ab8a46b2ead416e42c01000576e6f6 |
/admin/count.php?id=3008&isInst=1&lockcode=-9114&mac=00-00-00-00-00-00&PcType=HomePc&AvName=OtherOrNone&ProCount=24
| count.eloaz.com |
> 6b73e1f5520ffc0cbaddde28077ec738 |
/admin/count.php?id=2001&isInst=1&lockcode=2501&mac=00-00-00-00-00-00&PcType=HomePc&AvName=OtherOrNone&ProCount=24
| vip.eloaz.com |
> 01918d16e931238aba4ae6633df8ec2e |
/admin/count.php?id=113&isInst=1&lockcode=2501&mac=00-00-00-00-00-00&PcType=HomePc&AvName=OtherOrNone&ProCount=24
| vip.crwye.cn:81 |
> 8c2c05b2d78bac4e0bb33509ce47038c |
/admin/count.php?id=124&isInst=1&lockcode=2501&mac=00-00-00-00-00-00&PcType=HomePc&AvName=OtherOrNone&ProCount=24
| 121.12.110.35:81 |
> 1f46e5347a2eeab77ab87b5770075964 |
/admin/count.php?id=124&isInst=1&lockcode=2501&mac=00-00-00-00-00-00&PcType=HomePc&AvName=OtherOrNone&ProCount=24
| vip.kfc.ha.cn:81 |
+----------------------------------+-------------------------------------------------- \
-------------------------------------------------------------------+------------------+
Proposed sig:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32/Chekafe.A or Related Infection Checkin"; flow:established,to_server;
uricontent:"isInst="; uricontent:"lockcode="; uricontent:"PcType=";
uricontent:"AvName="; uricontent:"ProCount="; classtype:trojan-activity;
reference:url,
www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/Chekafe.A;
sid:111111111; rev:1;)
Regards
--
_______________________________
Jaime Blasco
www.ossim.com
www.alienvault.com
Email: jaime.blasco at alienvault.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100727/70a682fa/attachment.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic