[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    Re: [Emerging-Sigs] Sendori adware client
From:       Darien Huss <dhuss () emergingthreats ! net>
Date:       2015-04-08 16:39:05
Message-ID: CAKcCgkVHmA26vgOb02tFD5=KaOpoRL3T_d=ZbA1OOK9TAmgFZQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Thanks Anthony, we'll get this into QA!

On Wed, Apr 8, 2015 at 12:06 PM, Rodgers, Anthony (DTMB) <
RodgersA1@michigan.gov> wrote:

>  Seeing this traffic to malicious IPs:
>
>
>
> SRC: GET / HTTP/1.1
>
> SRC: Cache-Control: no-cache
>
> SRC: Connection: Keep-Alive
>
> SRC: Pragma: no-cache
>
> SRC: User-Agent: Sendori-Client-Win32/2.0.19
>
> SRC: Host: checkip.dyndns.com
>
> SRC:
>
> SRC:
>
> DST: HTTP/1.1 200 OK
>
> DST: Content-Type: text/html
>
> DST: Server: DynDNS-CheckIP/1.0
>
> DST: Connection: close
>
> DST: Cache-Control: no-cache
>
> DST: Pragma: no-cache
>
> DST: Content-Length: 106
>
> DST:
>
> DST: <html><head><title>Current IP Check</title></head><body>Current IP
> Address: 247.191.106.57</body></html>
>
> DST:
>
>
>
> Maybe the following sig could be added:
>
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Sendori Windows Adware User-Agent in HTTP Request - Possibly Hostile";
> flow:established,to_server; content:"User-Agent|3a| Sendori"; http_header;
> classtype:policy-violation;)
>
>
>
> Some information regarding Sendori from the SANS Diary about a year ago:
> https://isc.sans.edu/forums/diary/Suspect+Sendori+software/16466
>
>
>
> --
>
> Anthony Rodgers
>
> Security Analyst
>
> Michigan Security Operations Center (MiSOC)
>
> DTMB, Michigan Cyber Security
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>

[Attachment #5 (text/html)]

<div dir="ltr">Thanks Anthony, we&#39;ll get this into QA!<br></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 8, 2015 at 12:06 PM, \
Rodgers, Anthony (DTMB) <span dir="ltr">&lt;<a href="mailto:RodgersA1@michigan.gov" \
target="_blank">RodgersA1@michigan.gov</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">





<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="color:#1f497d">Seeing this traffic to malicious \
IPs:<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:#1f497d"><u></u>  <u></u></span></p> <p class="MsoNormal"><span \
style="color:#1f497d">SRC: GET / HTTP/1.1<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="color:#1f497d">SRC: Cache-Control: \
no-cache<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:#1f497d">SRC: Connection: Keep-Alive<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="color:#1f497d">SRC: Pragma: \
no-cache<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:#1f497d">SRC: User-Agent: \
Sendori-Client-Win32/2.0.19<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:#1f497d">SRC: Host: <a href="http://checkip.dyndns.com" \
target="_blank">checkip.dyndns.com</a><u></u><u></u></span></p> <p \
class="MsoNormal"><span style="color:#1f497d">SRC: <u></u><u></u></span></p> <p \
class="MsoNormal"><span style="color:#1f497d">SRC: <u></u><u></u></span></p> <p \
class="MsoNormal"><span style="color:#1f497d">DST: HTTP/1.1 200 \
OK<u></u><u></u></span></p> <p class="MsoNormal"><span style="color:#1f497d">DST: \
Content-Type: text/html<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:#1f497d">DST: Server: DynDNS-CheckIP/1.0<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="color:#1f497d">DST: Connection: \
close<u></u><u></u></span></p> <p class="MsoNormal"><span style="color:#1f497d">DST: \
Cache-Control: no-cache<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:#1f497d">DST: Pragma: no-cache<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="color:#1f497d">DST: Content-Length: \
106<u></u><u></u></span></p> <p class="MsoNormal"><span style="color:#1f497d">DST: \
<u></u><u></u></span></p> <p class="MsoNormal"><span style="color:#1f497d">DST: \
&lt;html&gt;&lt;head&gt;&lt;title&gt;Current IP \
Check&lt;/title&gt;&lt;/head&gt;&lt;body&gt;Current IP Address: \
247.191.106.57&lt;/body&gt;&lt;/html&gt;<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="color:#1f497d">DST:<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="color:#1f497d"><u></u>  <u></u></span></p> <p \
class="MsoNormal"><span style="color:#1f497d">Maybe the following sig could be \
added:<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:#1f497d"><u></u>  <u></u></span></p> <p class="MsoNormal"><span \
style="color:#1f497d">alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS \
(msg:&quot;ET POLICY Sendori Windows Adware User-Agent in HTTP Request - Possibly \
Hostile&quot;; flow:established,to_server; content:&quot;User-Agent|3a| \
Sendori&quot;; http_header;  classtype:policy-violation;)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u>  <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">Some information regarding Sendori \
from the SANS Diary about a year ago: <a \
href="https://isc.sans.edu/forums/diary/Suspect+Sendori+software/16466" \
target="_blank">https://isc.sans.edu/forums/diary/Suspect+Sendori+software/16466</a><u></u><u></u></span></p>
 <p class="MsoNormal"><span style="color:#1f497d"><u></u>  <u></u></span></p>
<p class="MsoNormal"><span style="color:#2f5597">--<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#2f5597">Anthony \
Rodgers<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:#2f5597">Security Analyst<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="color:#2f5597">Michigan Security Operations Center \
(MiSOC)<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="color:#2f5597">DTMB, Michigan Cyber Security<u></u><u></u></span></p> <p \
class="MsoNormal"><u></u>  <u></u></p> </div>
</div>

<br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
 <a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
 <br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
<br></blockquote></div><br></div>



_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic