CCProxy is a legitimate program, but has been seen in use by malware to proxy remote http. It’s a product designed for internal network use. Run this sig externally to detect it in use remotely.

# This would likely be hostile activity
#by Matt Jonkman from sandnet analysis
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE POLICY CCProxy in use remotely - Possibly Hostile/Malware”; flow:established,from_server; content:”HTTP/1.0 200 Connection established|0d 0a|Proxy-agent\: CCProxy “; offset:0; depth:58; classtype:trojan-activity; reference:url,www.youngzsoft.net; sid:2007576; rev:1;)

In the sandnet I’ve got a couple samples that are connecting to a remote web server that turns out to be a ccproxy instance. Interesting…

Matt

This entry was posted on Monday, August 27th, 2007 at 2:39 am and is filed under General, New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.