alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/tba/"; nocase; http_uri; content:"guid="; http_client_body; content:"&version="; http_client_body; content:"&clientid="; http_client_body; content:"&time="; http_client_body; content:"&idle="; http_client_body; content:"&ticksBoot="; http_client_body; reference:url,doc.emergingthreats.net/2007774; classtype:trojan-activity; sid:2007774; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:01 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/tba/"; nocase; http_uri; content:"guid="; http_client_body; content:"&version="; http_client_body; content:"&clientid="; http_client_body; content:"&time="; http_client_body; content:"&idle="; http_client_body; content:"&ticksBoot="; http_client_body; reference:url,doc.emergingthreats.net/2007774; classtype:trojan-activity; sid:2007774; rev:8;)

Added 2011-10-12 19:23:50 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/tba/"; nocase; http_uri; content:"guid="; http_client_body; content:"&version="; http_client_body; content:"&clientid="; http_client_body; content:"&time="; http_client_body; content:"&idle="; http_client_body; content:"&ticksBoot="; http_client_body; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007774; sid:2007774; rev:8;)

Added 2011-09-14 22:37:18 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/tba/"; nocase; http_uri; content:"guid="; http_client_body; content:"&version="; http_client_body; content:"&clientid="; http_client_body; content:"&time="; http_client_body; content:"&idle="; http_client_body; content:"&ticksBoot="; http_client_body; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007774; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop; sid:2007774; rev:8;)

Added 2011-02-04 17:26:53 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; content:"&clientid="; content:"&time="; content:"&idle="; content:"&ticksBoot="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007774; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop; sid:2007774; rev:5;)

Added 2009-02-13 19:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; content:"&clientid="; content:"&time="; content:"&idle="; content:"&ticksBoot="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007774; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop; sid:2007774; rev:5;)

Added 2009-02-13 19:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; content:"&clientid="; content:"&time="; content:"&idle="; content:"&ticksBoot="; classtype:trojan-activity; sid:2007774; rev:4;)

Added 2008-02-08 14:12:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; content:"&clientid="; content:"&time="; content:"&idle="; content:"&ticksBoot="; classtype:trojan-activity; sid:2007774; rev:4;)

Added 2008-02-08 14:12:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; distance:50; content:"&clientid="; distance:50; content:"&time="; distance:50; content:"&idle="; distance:50; content:"&ticksBoot="; distance:50; classtype:trojan-activity; sid:2007774; rev:3;)

Added 2008-02-01 09:16:23 UTC

Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

-- RegQuinton - 08 Feb 2008

I'm seeing quite a few alarms on our residences.

They all involve the same server ads.netbios-local.com (64.34.228.126). Signature matches exactly and I have information that ads.netbios-loca.com is a nasty site. See

http://malwaredomains.com/?cat=6

But that's a bit circular -- Emerging Threats identified them and provideds the signatures I'm using.

Here's the packet capture.

[12:57pm dominic] more /tmp/foo
02/08-11:43:33.653976 129.97.NNN.MMM:1037 -> 64.34.228.126:80
TCP TTL:124 TOS:0x0 ID:95 IpLen:20 DgmLen:250 DF
***AP*** Seq: 0x9694BA5  Ack: 0x1FC3349A  Win: 0xFFFF  TcpLen: 20
50 4F 53 54 20 2F 74 62 61 2F 70 20 48 54 54 50  POST /tba/p HTTP
2F 31 2E 31 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65  /1.1..Content-Le
6E 67 74 68 3A 20 32 39 37 0D 0A 43 6F 6E 74 65  ngth: 297..Conte
6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61  nt-Type: applica
74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F 72 6D 2D  tion/x-www-form-
75 72 6C 65 6E 63 6F 64 65 64 0D 0A 55 73 65 72  urlencoded..User
2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F  -Agent: Mozilla/
34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B  4.0 (compatible;
20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 6F   MSIE 6.0; Windo
77 73 20 4E 54 20 35 2E 31 29 0D 0A 41 63 63 65  ws NT 5.1)..Acce
70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69  pt-Encoding: gzi
70 0D 0A 48 6F 73 74 3A 20 61 64 73 2E 6E 65 74  p..Host: ads.net
62 69 6F 73 2D 6C 6F 63 61 6C 2E 63 6F 6D 0D 0A  bios-local.com..
0D 0A                                            ..

02/08-11:43:33.854848 129.97.240.153:1037 -> 64.34.228.126:80
TCP TTL:124 TOS:0x0 ID:96 IpLen:20 DgmLen:337 DF
***AP*** Seq: 0x9694C77  Ack: 0x1FC3349A  Win: 0xFFFF  TcpLen: 20
67 75 69 64 3D 32 39 32 33 30 35 31 35 38 36 35  guid=29230515865
46 44 38 44 38 38 37 43 43 38 38 31 38 37 34 41  FD8D887CC881874A
41 38 46 43 33 33 33 34 45 26 76 65 72 73 69 6F  A8FC3334E&versio
6E 3D 38 36 34 34 32 32 30 36 36 44 32 33 26 63  n=864422066D23&c
6C 69 65 6E 74 69 64 3D 36 39 36 43 42 35 46 37  lientid=696CB5F7
30 36 39 45 30 35 46 45 33 43 34 44 26 74 69 6D  069E05FE3C4D&tim
65 3D 41 45 35 45 37 45 44 33 41 45 33 36 46 45  e=AE5E7ED3AE36FE
26 69 64 6C 65 3D 39 32 35 30 38 46 26 6C 6F 63  &idle=92508F&loc
61 6C 65 3D 46 39 34 31 32 32 39 31 33 43 32 32  ale=F94122913C22
26 73 65 73 73 69 6F 6E 3D 42 31 30 42 46 34 38  &session=B10BF48
33 30 44 46 33 26 61 63 74 69 76 65 57 69 6E 64  30DF3&activeWind
6F 77 73 3D 45 31 37 42 30 32 26 74 69 63 6B 73  ows=E17B02&ticks
42 6F 6F 74 3D 41 42 33 36 33 42 44 46 34 39 36  Boot=AB363BDF496
36 33 46 45 39 26 74 69 63 6B 73 41 6C 69 76 65  63FE9&ticksAlive
3D 33 33 36 43 41 37 34 42 39 39 39 42 35 39 26  =336CA74B999B59&
69 6E 73 74 61 6C 6C 54 69 6D 65 3D 30 46 30 43  installTime=0F0C
32 37 39 35 46 39 38 33 42 30 41 32 44 36 36 32  2795F983B0A2D662
37 46 36 42 26 6C 61 75 6E 63 68 43 6F 75 6E 74  7F6B&launchCount
3D 39 45 33 39 36 36 33 43                       =9E39663C

-- RegQuinton - 08 Feb 2008

Ya, that's along the lines of what was generated by the sameples we have.

POST /tba/p HTTP/1.1
Content-Length: 287
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Accept-Encoding: gzip
Host: ads.netbios-local.com

guid=2923061DD15FD98B87C98C1F7FAA8FC3334E&version=864422066D23&clientid=696CC6827AEF73884430&time=AE5E7EDBAE
>37FE&idle=92508B&locale=F94122913C22&session=B10B&activeWindows=E17B02&ticksBoot=AB363FD744643AEE&ticksAlive
>=336CA640929153&installTime=0F0C2795F982B0A0D8627B62&launchCount=9E3962HTTP/1.1 200 OK
Server: Resin/3.0.18
Content-Language: en-CA
Content-Encoding: gzip
Content-Type: text/xml
Connection: close
Transfer-Encoding: chunked
Date: Thu, 31 Jan 2008 14:48:32 GM

Not much other documentation about the strain yet. Very little detection so far...

-- MattJonkman - 08 Feb 2008


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; distance:50; content:"&clientid="; distance:50; content:"&time="; distance:50; content:"&idle="; distance:50; content:"&ticksBoot="; distance:50; classtype:trojan-activity; sid:2007774; rev:3;)

Added 2008-02-01 09:16:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; distance:10; content:"&clientid="; distance:5; content:"&time="; distance:5; content:"&idle="; distance:5; content:"&ticksBoot="; distance:5; classtype:trojan-activity; sid:2007774; rev:2;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; distance:10; content:"&clientid="; distance:5; content:"&time="; distance:5; content:"&idle="; distance:5; content:"&ticksBoot="; distance:5; classtype:trojan-activity; sid:2007774; rev:2;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Lop.gfr HTTP Update/Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/tba/"; nocase; content:"|0d 0a|guid="; content:"&version="; distance:10; content:"&clientid="; distance:5; content:"&time="; distance:5; content:"&idle="; distance:5; content:"&ticksBoot="; distance:5; classtype:trojan-activity; sid:2007774; rev:1;)

Added 2008-01-23 09:49:26 UTC


Topic revision: r3 - 2008-02-08 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats