|
|
Re: Stormy P2P bot Sigs -- may be SKYPE ?: msg#00186security.ids.snort.bleedingsnort
I recall wireshark classifying a few udp packets as ICQ in my original analysis. I thought it an anomaly, but now that you mention this... I think I need to do a new analysis and compare some traffic to ther protocols. Anyone have any more recent variants they could send over? Or notes on any analysis you've done? Matt Dave Killion wrote: >>From the pcaps we've been seeing, it looked to us like it was using ICQ > for C&C. I don't know if there are variants, or which ones we're using. > > Something to look at... > > Dave Killion, CISSP > > On 1/28/07, *Russell Fulton* <r.fulton-1/NbpDiVQt6SYBAHRPvY1A@xxxxxxxxxxxxxxxx > <mailto:r.fulton-1/NbpDiVQt6SYBAHRPvY1A@xxxxxxxxxxxxxxxx>> wrote: > > > > Matt Jonkman wrote: > > Finding more detail, this does indeed look like edonkey traffic on an > > unusual port. > > > > I'm working on making better sigs, and might pull these shortly. If > > anyone is interested here are the references I'm looking at: > > > > http://www.giac.org/certified_professionals/practicals/gcih/0446.php > > ftp://ftp.kom.e-technik.tu-darmstadt.de/pub/papers/HB02-1-paper.pdf > > > > We may just need to redo the existing edonkey sigs, which look only at > > ports 4660:4799. This trojan runs with a source port of 7871, > which is > > rather unusual... > > > > Any edonkey experts out there? > > > > > Hmmmm... My edonkey alerts have gone crazy recently. I know that at > least some of the machines (the ones I checked ) are not doing any p2p > file sharing, nor is there any signs of infection or compromise. All 3 > however were running Skype. Is it possible that changes have been made > to the skype protocol which results in a lot of packets with 0XE3 at > the > start? > > > Russell > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > <mailto:Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx> > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > > > > > -- > Dave Killion, CISSP > Contributing Author, Configuring NetScreen Firewalls > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Stormy P2P bot Sigs -- may be SKYPE ?: 00186, Dave Killion |
|---|---|
| Next by Date: | Re: P0F in Snort?: 00186, Jack Pepper |
| Previous by Thread: | Re: Stormy P2P bot Sigs -- may be SKYPE ?i: 00186, Dave Killion |
| Next by Thread: | Re: Stormy P2P bot Sigs -- may be SKYPE ?: 00186, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |