Re: Stormy P2P bot Sigs -- may be SKYPE ?

>From the pcaps we've been seeing, it looked to us like it was using ICQ for C&C.  I don't know if there are variants, or which ones we're using.

Something to look at...

Dave Killion, CISSP

On 1/28/07, Russell Fulton <r.fulton-1/NbpDiVQt6SYBAHRPvY1A@xxxxxxxxxxxxxxxx> wrote:

Matt Jonkman wrote:
> Finding more detail, this does indeed look like edonkey traffic on an
> unusual port.
>
> I'm working on making better sigs, and might pull these shortly. If
> anyone is interested here are the references I'm looking at:
>
> http://www.giac.org/certified_professionals/practicals/gcih/0446.php
> ftp://ftp.kom.e-technik.tu-darmstadt.de/pub/papers/HB02-1-paper.pdf
>
> We may just need to redo the existing edonkey sigs, which look only at
> ports 4660:4799. This trojan runs with a source port of 7871, which is
> rather unusual...
>
> Any edonkey experts out there?
>
>
Hmmmm... My edonkey alerts have gone crazy recently.  I know that at
least some of the machines (the ones I checked ) are not doing any p2p
file sharing, nor is there any signs of infection or compromise.  All 3
however were running Skype.   Is it possible that changes have been made
to the skype protocol which results in a lot of packets with 0XE3 at the
start?


Russell

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

-- 
Dave Killion, CISSP
Contributing Author, Configuring NetScreen Firewalls
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs