Stormy P2P bot Sigs

Have these posted, regarding the Stormy bot. It’s email borne primarily.

The only thing I found among several variants that was common was that
each packet starts with |e3|, and ends in |bf 1e 00| for outbound
packets. And there are some kind of status or ack packets back from
outside hosts that’s just an |e3 0d|. Everything starts with e3 though,
and the second byte is generally 0a-0f.

Hopefully we’ll update these as we learn more.

#Matt Jonkman
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:”BLEEDING-EDGE TROJAN Stormy P2P bot C&C Seek Traffic Outbound”;
dsize:>18; content:”|e3|”; depth:1; content:”|bf 1e 00|”; offset:5;
classtype:trojan-activity; sid:2003299; rev:1;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535
(msg:”BLEEDING-EDGE TROJAN Stormy P2P bot C&C Reply Traffic Inbound”;
dsize:2; content:”|e3 0d|”; classtype:trojan-activity; sid:2003300; rev:1;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535
(msg:”BLEEDING-EDGE TROJAN Stormy P2P bot C&C Data Traffic Inbound”;
dsize:>400; content:”|e3 0b 14 00|”; classtype:trojan-activity;
sid:2003301; rev:1;)

It appears to be an edonley or emule protocol, but don't have a reliable
enough protocol ref handy to know for sure yet. If someone recognizes
the pattern please let me know.

Matt

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc