Still looking for more variants to look through, but I've verified the
original sigs are correct. The UDP packets coming from the worm ARE
definitely Edonkey.
i had a few that wireshark called ICP because their service port was
4000, but the content of the packet is edonkey.
I've run some skype again and not gotten hits on the edonkey sigs.
The allaple I had that looked like it was sending edonkey may have been
cross-pollination on the sandbox it was run in. I pulled the binary and
sandboxed here and got normal allaple activity.
Interesting morning... :)
Matt
Dave Killion wrote:
>>From the pcaps we've been seeing, it looked to us like it was using ICQ
> for C&C. I don't know if there are variants, or which ones we're using.
>
> Something to look at...
>
> Dave Killion, CISSP
>
> On 1/28/07, *Russell Fulton* <r.fulton-1/NbpDiVQt6SYBAHRPvY1A@xxxxxxxxxxxxxxxx
> <mailto:r.fulton-1/NbpDiVQt6SYBAHRPvY1A@xxxxxxxxxxxxxxxx>> wrote:
>
>
>
> Matt Jonkman wrote:
> > Finding more detail, this does indeed look like edonkey traffic on an
> > unusual port.
> >
> > I'm working on making better sigs, and might pull these shortly. If
> > anyone is interested here are the references I'm looking at:
> >
> > http://www.giac.org/certified_professionals/practicals/gcih/0446.php
> > ftp://ftp.kom.e-technik.tu-darmstadt.de/pub/papers/HB02-1-paper.pdf
> >
> > We may just need to redo the existing edonkey sigs, which look only at
> > ports 4660:4799. This trojan runs with a source port of 7871,
> which is
> > rather unusual...
> >
> > Any edonkey experts out there?
> >
> >
> Hmmmm... My edonkey alerts have gone crazy recently. I know that at
> least some of the machines (the ones I checked ) are not doing any p2p
> file sharing, nor is there any signs of infection or compromise. All 3
> however were running Skype. Is it possible that changes have been made
> to the skype protocol which results in a lot of packets with 0XE3 at
> the
> start?
>
>
> Russell
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> <mailto:Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>
>
>
>
> --
> Dave Killion, CISSP
> Contributing Author, Configuring NetScreen Firewalls
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------
PGP: http://www.bleedingthreats.com/mattjonkman.asc
|
