|
|
Re: Stormy P2P bot Sigs -- may be SKYPE ?: msg#00190security.ids.snort.bleedingsnort
To make this even more convuluded, I just got a sample of allaple that does it's regular ping sweep, but is also advertising edonkey files.... More to come. Analyzing this one. Matt Matt Jonkman wrote: > I recall wireshark classifying a few udp packets as ICQ in my original > analysis. I thought it an anomaly, but now that you mention this... > > I think I need to do a new analysis and compare some traffic to ther > protocols. > > Anyone have any more recent variants they could send over? Or notes on > any analysis you've done? > > Matt > > Dave Killion wrote: >> >From the pcaps we've been seeing, it looked to us like it was using ICQ >> for C&C. I don't know if there are variants, or which ones we're using. >> >> Something to look at... >> >> Dave Killion, CISSP >> >> On 1/28/07, *Russell Fulton* >> <r.fulton-1/NbpDiVQt6SYBAHRPvY1A@xxxxxxxxxxxxxxxx >> <mailto:r.fulton-1/NbpDiVQt6SYBAHRPvY1A@xxxxxxxxxxxxxxxx>> wrote: >> >> >> >> Matt Jonkman wrote: >> > Finding more detail, this does indeed look like edonkey traffic on an >> > unusual port. >> > >> > I'm working on making better sigs, and might pull these shortly. If >> > anyone is interested here are the references I'm looking at: >> > >> > http://www.giac.org/certified_professionals/practicals/gcih/0446.php >> > ftp://ftp.kom.e-technik.tu-darmstadt.de/pub/papers/HB02-1-paper.pdf >> > >> > We may just need to redo the existing edonkey sigs, which look only at >> > ports 4660:4799. This trojan runs with a source port of 7871, >> which is >> > rather unusual... >> > >> > Any edonkey experts out there? >> > >> > >> Hmmmm... My edonkey alerts have gone crazy recently. I know that at >> least some of the machines (the ones I checked ) are not doing any p2p >> file sharing, nor is there any signs of infection or compromise. All 3 >> however were running Skype. Is it possible that changes have been made >> to the skype protocol which results in a lot of packets with 0XE3 at >> the >> start? >> >> >> Russell >> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx >> <mailto:Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx> >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs >> >> >> >> >> -- >> Dave Killion, CISSP >> Contributing Author, Configuring NetScreen Firewalls >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: P0F in Snort?: 00190, Matt Jonkman |
|---|---|
| Next by Date: | Re: Stormy P2P bot Sigs -- may be SKYPE ?: 00190, Matt Jonkman |
| Previous by Thread: | Re: Stormy P2P bot Sigs -- may be SKYPE ?i: 00190, Matt Jonkman |
| Next by Thread: | Re: Stormy P2P bot Sigs -- may be SKYPE ?: 00190, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |