Home | About Us | FAQ | Signature Downloads | All Projects | Submit a Signature | Mailing Lists | Feeds | Open Job Board | Sponsors | Documentation

  • RSS Latest Docs

    • 2003394
    • SnortConfSamples
    • FastFluxDNSResponseDetection
    • 2007634
    • DilipPatel
    • TestTest123
    • 2003642
    • 2007588
    • 2007688
    • 2007706

  • RSS Latest Sigs

    • VIRUS/TROJAN_PRG
    • VIRUS/TROJAN_Win32.Pakes
    • current-sids.txt
    • CURRENT_EVENTS/CURRENT_WPAD
    • current-sids.txt
    • CURRENT_EVENTS/CURRENT_WPAD
    • current-sids.txt
    • WEB/WEB_Neosploit
    • current-sids.txt
    • VIRUS/TROJAN_Win32.Pakes

  • Recent Comments

    • gabrix on I’m Leaving Bleeding Threats!
    • Buck on Guard.zip Phish, Very targeted, Sig Available
    • Lance on Guard.zip Phish, Very targeted, Sig Available
    • akgunk on Guard.zip Phish, Very targeted, Sig Available
    • Bill475382635','199440348billy@msn.com','','20.134.10.131','2008-05-20 20:38:34','2008-05-20 20:38:34','','0','lynx','comment','0','0'),('0', '', '', '', '', '2008-05-21 20:38:34', '2008-05-21 20:38:34', '', 'spam', '', 'comment', '0','0' ) /* on How to Integrate/Use Bleeding Snort Rules

  • Recent Posts

    • Rule & Firewall Updates Re-enabled
    • I’m Leaving Bleeding Threats!
    • Encrypted Storm Sigs
    • Windows 98 Snort Signature
    • E-Jihad Tool Sigs
    • « CCProxy in use by Malware
    Possible Trojan Infection Report Email Rule »

    Trojan.Win32.Qhost.it C&C Sigs

    #by Mat Jonkman, from sandnet analysis
    # some kind of c&c, needs more research, but these sigs are reliable
    alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Trojan.Win32.Qhost C&C Traffic Outbound (case1)”; flow:established; dsize:>1000; content:”|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|”; classtype:trojan-activity; reference:url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254; sid:2007578; rev:1;)
    alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Trojan.Win32.Qhost C&C Traffic Outbound (case2)”; flow:established; dsize:>1000; content:”|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|”; classtype:trojan-activity; reference:url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254; sid:2007579; rev:1;)
    alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Trojan.Win32.Qhost C&C Traffic Inbound (case1)”; flow:established; dsize:>1000; content:”|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|”; classtype:trojan-activity; reference:url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254; sid:2007580; rev:1;)
    alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Trojan.Win32.Qhost C&C Traffic Inbound (case2)”; flow:established; dsize:>1000; content:”|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|”; classtype:trojan-activity; reference:url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254; sid:2007581; rev:1;)

    The C&C channel is interesting, please report any hits, or let me know if you notice something else unique in samples.

    Matt

    This entry was posted on Monday, August 27th, 2007 at 5:03 am and is filed under General, New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    Leave a Reply

    You must be logged in to post a comment.

    Entries (RSS) and Comments (RSS)
    Copyright © 2007 Bleeding Edge Threats.
    All trademarks and copyrights on this page are owned by their respective owners. Snort® is a registered trademark of Sourcefire, Inc.