Had a bot binary that we can't figure out. It's using an
ssl encrypted
control stream, looks like irc underneath. Putting the final
touches on
an ssl/tls state machine. That'll be out shortly.
It also sends out a single UDP packet, dest port 3022, 5
bytes, and one
byte is always 0x60. I'm sure the port will change for
variants, but if
you get a hit on this please let us know. False or positive.
# This is a sngle packet sent out by a bot binary that was
submitted
# If you get a hit on this check out the source system, and
let us know
please
# We have yet to figure out what this is. It doesn't get a
reply but
appears important
alert udp $HOME_NET any -> $EXTERNAL_NET 3022
(msg:"BLEEDING-EDGE TROJAN
Unknown Trojan Communication"; dsize:5;
content:"|60|";
classtype:trojan-activity; sid:2003001; rev:1;)
--------------------------------------------
Matthew Jonkman, CISSP
CTO, Infotex
765-429-0398
866-679-5177 24x7 NOC
my.infotex.com
www.bleedingsnort.com
--------------------------------------------
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|