alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; reference:url,doc.emergingthreats.net/2009077; classtype:trojan-activity; sid:2009077; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:02:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; reference:url,doc.emergingthreats.net/2009077; classtype:trojan-activity; sid:2009077; rev:3;)

Added 2011-10-12 19:26:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; classtype:trojan-activity; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; reference:url,doc.emergingthreats.net/2009077; sid:2009077; rev:3;)

Added 2011-09-14 22:39:57 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; classtype:trojan-activity; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; reference:url,doc.emergingthreats.net/2009077; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infect; sid:2009077; rev:3;)

Added 2011-02-04 17:28:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009077; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infect; sid:2009077; rev:3;)

Added 2009-02-17 01:00:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009077; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infect; sid:2009077; rev:3;)

Added 2009-02-17 01:00:25 UTC


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 80 (msg:"ET TROJAN TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009077; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infect; sid:2009077; rev:2;)

Added 2009-02-13 19:15:24 UTC


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 80 (msg:"ET TROJAN TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009077; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infect; sid:2009077; rev:2;)

Added 2009-02-13 19:15:24 UTC


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 80 (msg:"ET TROJAN TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; classtype:trojan-activity; sid:2009077; rev:1;)

Added 2009-02-04 16:00:25 UTC

This signature is intended to detect update requests from the malware tied to the Federal Reserve banking phish themes The malware implements a credential stealer for at least POP3/IMAP/FTP/web forms. Sandbox report:

http://www.threatexpert.com/report.aspx?md5=012048455cb3abc22e99ba0142931ea1

Another writeup:

http://realsecurity.wordpress.com/2008/08/28/analysis-of-a-dll-injector-trojanwin32injectdnz/

AV reference:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T

A number of domains are registered in connection with this threat; see for example http://www.bfk.de/bfk_dnslogger.html?query=61.235.117.72#result.

The payload of interest is a string sent to the server as in this packet:

12:21:48.549130 IP 192.168.245.128.1045 > 209.160.73.106.80: P 3:10(7)
ack 1 win 17520
       0x0000:  4500 002f 0030 4000 8006 2965 c0a8 f580  E../.0@...)e....
       0x0010:  d1a0 496a 0415 0050 c424 8a2d 7ee3 2187  ..Ij...P.$.-~.!.
       0x0020:  5018 4470 ca68 0000 4632 3232 3232 32    P.Dp.h..F222222

-- DarrenSpruell - 05 Feb 2009


Topic revision: r2 - 2009-02-05 - DarrenSpruell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats