New Socks Proxy sigs — For bots

William Salusky, one of our favorite ISC handlers, has sent over a great
new list of signatures for Socks connections. He did a good deal of
research and found a reliable way to sense a Socks connection setup and
in progress.

Why do I care you ask? Because it’s the ‘in’ thing for the fashionable
bot this year. And last year… The bot herders use Socks to push whatever
they like through the bots in their net. This requires far less complex
bots, all they need to know how to do is be a Socks proxy, which is
stable free code. If you see hits inbound to your net, then that target
is likely infected. You’ll also have the source which will be at the
least a C&C for the bot net, or if you’re lucky you may catch a sloppy
bot herder pushing things from his own systems.
There are a lot of sigs, you can view them here:

http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/MALWARE/MALWARE_Socks_Proxy?sortby=date&view=markup

Please give them a try, and let us know how they do. if you’re brave you
can try the last couple that are marked as falsing, but need more research.

Many thanks William, great research. This will help a lot of bot
infested nets.

Matt

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc