[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Proposed Signature, FakeAV Download
From: harry.tuttle () zoho ! com (harry ! tuttle)
Date: 2011-04-26 20:46:52
Message-ID: 12f93908426.-8889343162266917335.7315335875276918891 () zoho ! com
[Download RAW message or body]
I can't get it to run in a VM locally, and it is beyond my very limited \
assembly/debugger skills to figure out the protection mechanisms.
It does run here:
https://mwanalysis.org/?page=report&analysisid=73661&password=uvsbqlhwfi
Unfortunately, they give only the IP and port rather than the URL or a pcap. \
Correlating the given IP's to other reports in an online search, it looks very \
similar to http://www.malware-control.com/statics-pages/970dfb97f492022c8127a5d51a9ce0d7.php, \
which matches the sig below.
---- On Tue, 26 Apr 2011 07:34:48 -0700 Martin Holste <mcholste at gmail.com> \
wrote ----
Anyone know what the exe obfuscation routine is for the
"InstallInternetProtection" FakeAV? Trying to get one uploaded to
Anubis. I tried xorsearch for PE\x00\x00 but got no hits. I'm
assuming it's rotated/xored then compressed.
On Fri, Apr 22, 2011 at 9:53 PM, "Michael Cox"
<michael at mail.wanderingbark.net> wrote:
> This is from one of the "BestAntivirus2011" samples.
>
> Regards,
> Michael
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> BestAntivirus2011 Fake AV reporting"; flow:established,to_server;
> content:"GET"; http_method; content:".php?affid="; http_uri;
> content:"&data="; http_uri; content:"&v="; http_uri;
> classtype:trojan-activity; sid:2011xxx; rev:1;)
>
> On Fri, Apr 22, 2011 at 12:57:05PM -0400, Matthew Jonkman wrote:
>> Getting these posted, thanks Michael!
>>
>> Matt
>>
>> On Apr 21, 2011, at 2:47 PM, Michael Cox wrote:
>>
>> > On Thu, Apr 21, 2011 at 09:30:48AM -0500, evilghost at packetmail.net \
wrote: >> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> Hash: SHA1
>> >>
>> >>
>> >> Seen from 212.124.107.242 very similar to SID 2012494 -- Don't see \
coverage for >> >> this. Fairly straight forward, seen first hand, have \
PCAP but really no point >> >> to posting since it's just GET / with \
FakeAV attachment. >> >>
>> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET \
CURRENT_EVENTS >> >> FakeAV InstallInternetProtection Download"; \
flow:established,from_server; >> >> content:"|3b \
20|filename=|22|InstallInternetProtection_"; http_header; nocase; >> >> \
classtype:trojan-activity; sid:2011xxx; rev:1;) >> >>
>> >> - --
>> >>
>> >> - -evilghost
>> >
>> > Seeing lots of these as well. This might work as a check-in sig.
>> >
>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN \
Internet Protection FakeAV checkin"; flow:established,to_server; content:"GET"; \
http_method; content:"php?partner_id="; http_uri; content:"&u="; http_uri; \
content:"&log_id="; http_uri; content:"&os="; http_uri; \
classtype:trojan-activity; \
reference:url,www.threatexpert.com/report.aspx?md5=7710686d03cd3174b6f644434750b22b; \
sid:nnnnnnn;) >> >
>> > On a side note, I'm getting lots of hits for a similar campaign from \
the >> > .ce.ms domain sig in current_events. Example binary at
>> > hxxp://dl.list-antivirus.ce.ms/BestAntivirus2011.exe.
>> >
>> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET \
CURRENT_EVENTS FakeAV BestAntivirus2011 Download"; flow:established,from_server; \
content:"|3b 20|filename=|22|BestAntivirus2011.exe"; http_header; nocase; \
classtype:trojan-activity; sid:2011xxx; rev:1;) >> >
>> > Regards,
>> > Michael
>>
>>
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emergingthreats.net
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 765-807-8630 x110
>> Fax 312-264-0205
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreatspro.com >> The ONLY place to get complete premium \
rulesets for Snort 2.4.0 through Current! > \
_______________________________________________ > Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreatspro.com > The ONLY place to get complete premium \
rulesets for Snort 2.4.0 through Current! >
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets \
for Snort 2.4.0 through Current!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20110426/09e2ad89/attachment.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic