Re: Rinbot sig - MS DNS Worm

Thread: Re: Rinbot sig - MS DNS Worm

Search this list only Search all lists
Re: Rinbot sig - MS DNS Worm
	2007-04-18 08:11:59
I'm looking for more info on this rule. I am seeing Linux systems triggering it. Looking at the reference url it states: GET /geethams/mozila.exe HTTP/1.1 User-Agent: Mozilla/5.0 Host: 209.97.218.21 should the user-agent be Mozila/5.0? (One L) I'm just guessing, I don't have a copy of this to check against. Thanks On 4/16/07, Matt Jonkman <jonkmanbleedingthreats.net> wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE > CURRENT EVENTS Rinbot.a User Agent - Downloading new Code > (Mozilla/5.0)"; flow:established,to_server; content:"User-Agent: > Mozilla/5.0\|0d 0a\|"; classtype:trojan-activity; > reference:url,doc.bleedingthreats.net/bin/view/Main/RinBot; sid:2003591; > rev:1;) > > > Still working on sigs for the new styles of exploit. This worm is > scanning and attacking via port 1025. When it downloads code it uses the > above UA string though. > > Happy to share samples if you need. Hopefully sigs out soon for the rpc > stuff. > > Matt > > -- > -------------------------------------------- > Matthew Jonkman > Bleeding Edge Threats > 765-429-0398 > 765-807-3060 fax > http://www.bleedingthr eats.net > -------------------------------------------- > > PGP: http:/ /www.bleedingthreats.com/mattjonkman.asc > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigsbleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs > -- -dajackman _______________________________________________ Bleeding-sigs mailing list Bleeding-sigsbleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs

Re: Rinbot sig - MS DNS Worm
United States	2007-04-18 08:27:15
Hi dajackman: dajackman wrote: > I'm looking for more info on this rule. I am seeing Linux systems > triggering it. Looking at the reference url it states: > > GET /geethams/mozila.exe HTTP/1.1 > User-Agent: Mozilla/5.0 > Host: 209.97.218.21 > > should the user-agent be Mozila/5.0? (One L) > No, this is a direct cut and paste from the packet capture. I still have a sample of this if you'd like to confirm yourself. but this is the exact complete UA string. In fact, I think I have a couple pcaps saved as well. I'll sanitize one and post it to the reference. Are you getting hits like that, or are you seeing things using Mozilla/5.0 (... in their UA? Is there a legitimate use of Mozilla/5.0 in the real world as the entire UA string? Matt > I'm just guessing, I don't have a copy of this to check against. > > Thanks > > On 4/16/07, Matt Jonkman <jonkmanbleedingthreats.net> wrote: >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE >> CURRENT EVENTS Rinbot.a User Agent - Downloading new Code >> (Mozilla/5.0)"; flow:established,to_server; content:"User-Agent: >> Mozilla/5.0\|0d 0a\|"; classtype:trojan-activity; >> reference:url,doc.bleedingthreats.net/bin/view/Main/RinBot; sid:2003591; >> rev:1;) >> >> >> Still working on sigs for the new styles of exploit. This worm is >> scanning and attacking via port 1025. When it downloads code it uses the >> above UA string though. >> >> Happy to share samples if you need. Hopefully sigs out soon for the rpc >> stuff. >> >> Matt >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Bleeding Edge Threats >> 765-429-0398 >> 765-807-3060 fax >> http://www.bleedingthr eats.net >> -------------------------------------------- >> >> PGP: http:/ /www.bleedingthreats.com/mattjonkman.asc >> >> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigsbleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs >> > > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthr eats.net -------------------------------------------- PGP: http:/ /www.bleedingthreats.com/mattjonkman.asc _______________________________________________ Bleeding-sigs mailing list Bleeding-sigsbleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs

Re: Rinbot sig - MS DNS Worm
Canada	2007-04-18 08:53:26
From: "dajackman" <robby.listsgmail.com> > I'm looking for more info on this rule. I am seeing Linux systems > triggering it. I'm seeing Macs and Linux system tripping this alert as well. Here's a capture [9:43am dominic] more /tmp/foo 04/18-09:37:46.086656 129.97.109.234:48516 -> 72.3.246.59:80 TCP TTL:63 TOS:0x0 ID:26023 IpLen:20 DgmLen:528 DF *AP* Seq: 0x83E4D434 Ack: 0xD7C61098 Win: 0xB7 TcpLen: 32 TCP Options (3) => NOP NOP TS: 408400320 1742460475 47 45 54 20 2F 68 65 61 64 6C 69 6E 65 73 2E 72 GET /headlines.r 73 73 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 ss HTTP/1.1..Hos 74 3A 20 77 77 77 2E 74 68 65 72 65 67 69 73 74 t: www.theregist 65 72 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67 65 er.com..User-Age 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 0D nt: Mozilla/5.0. 0A 41 63 63 65 70 74 3A 20 74 65 78 74 2F 78 6D .Accept: text/xm 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D l,application/xm 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 68 l,application/xh 74 6D 6C 2B 78 6D 6C 2C 74 65 78 74 2F 68 74 6D tml+xml,text/htm 6C 3B 71 3D 30 2E 39 2C 74 65 78 74 2F 70 6C 61 l;q=0.9,text/pla 69 6E 3B 71 3D 30 2E 38 2C 69 6D 61 67 65 2F 70 in;q=0.8,image/p 6E 67 2C 2A 2F 2A 3B 71 3D 30 2E 35 0D 0A 41 63 ng,/;q=0.5..Ac ..etc. The user is a Linux geek, he's running Mozilla Firefox (which reports the long User-Agent string) and has an RSS feed to that site. I suspect it's FP'ing on RSS feeds. I can look at the other FP's to confirm. _______________________________________________ Bleeding-sigs mailing list Bleeding-sigsbleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs

[1-3]

about | contact Other archives ( Real Estate discussion Medical topics )