'[Emerging-Sigs] Proposition for a new rule - chinese dyndns provider 8866.org'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] Proposition for a new rule - chinese dyndns provider 8866.org
From:       jonkman () emergingthreatspro ! com (Matthew Jonkman)
Date:       2011-04-28 16:07:02
Message-ID: A3B15E54-51C8-4B85-B439-7D0396A3C8E6 () emergingthreatspro ! com
[Download RAW message or body]

8866 and 3322 are highly used by malware, so it makes sense I think to have specific rules for those. Maybe we should do an all numerical .org rule, but are we then going too far into FP land?

Matt

On Apr 27, 2011, at 8:20 AM, AD wrote:

> By scratching a bit more, i found other dyndns domains of interest:
> 
> Namely:
> 2288.org
> 
> http://www.mywot.com/en/scorecard/2288.org
> http://google.com/safebrowsing/diagnostic?site=2288.org
> Malicious software includes 598 exploit(s), 28 scripting exploit(s), 4
> trojan(s).
> 
> 9966.org
> 
> http://www.mywot.com/en/scorecard/9966.org
> http://google.com/safebrowsing/diagnostic?site=9966.org
> Malicious software includes 12106 exploit(s), 9184 trojan(s), 5857 backdoor(s).
> 
> 6600.org
> 
> http://www.mywot.com/en/scorecard/6600.org
> http://google.com/safebrowsing/diagnostic?site=6600.org
> Malicious software includes 3276 exploit(s), 70 trojan(s), 17
> scripting exploit(s).
> 
> 8800.org
> 
> http://www.mywot.com/en/scorecard/8800.org
> http://google.com/safebrowsing/diagnostic?site=8800.org
> Malicious software includes 713 exploit(s), 37 scripting exploit(s),
> 27 trojan(s).
> 
> 7766.org
> 
> http://www.mywot.com/en/scorecard/7766.org
> http://google.com/safebrowsing/diagnostic?site=7766.org
> Malicious software includes 23185 exploit(s), 3501 scripting
> exploit(s), 5 trojan(s).
> 
> I am wondering if i should create rules for some of those domains with
> low rates of infection (ie: 2288.org & 8800.org).
> Would it be a stretch?
> 
> 
> Or would a "all numerical .org domain" rule like "all numerical .cn"
> (sid:2012327) and "all numerical .ru" (sid:2012328) would be in order.
> 
> Sincerely,
> David
> 
> 
> On Wed, Apr 27, 2011 at 12:59, Kevin Ross <kevross33 at googlemail.com> wrote:
>> That looks fine. Thanks for the submission. Kev
>> 
>> On 27 April 2011 10:29, AD <elhoim at gmail.com> wrote:
>>> 
>>> I noticed the rule for 3322.org (sid:2012171), and found another
>>> dyndns candidate.
>>> 
>>> If yes, i would to propose another chinese DNS provider: 8866.org
>>> 
>>> The signals i used for decision are:
>>> 
>>> http://google.com/safebrowsing/diagnostic?site=8866.org/
>>> http://www.mywot.com/en/scorecard/8866.org
>>> http://isc.sans.edu/diary.html?storyid=6739
>>> and presence on the malwaredomains blacklist
>>> 
>>> So the rule should something like this (copy/pasted & modified from
>>> the 3322.org rule):
>>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Lookup of
>>> Chinese Dynamic DNS Provider 8866.org Likely Malware Related";
>>> content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
>>> content:"|04|8866|03|org"; fast_pattern; distance:0; nocase;
>>> classtype:misc-activity;
>>> reference:url,isc.sans.edu/diary.html?storyid=6739;
>>> reference:url,google.com/safebrowsing/diagnostic?site=8866.org/;
>>> reference:url,www.mywot.com/en/scorecard/8866.org; sid:????????;
>>> rev:1;)
>>> 
>>> This is my first submission, so if you have any proposition for
>>> improvment on the format, please let me know!
>>> 
>>> Sincerely,
>>> David
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> 
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>>> Current!
>> 
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

[prev in list] [next in list] [prev in thread] [next in thread] 