alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.BHO.lng Checkin"; flow:established,to_server; uricontent:"imp?Z="; uricontent:"&s="; nocase; uricontent:"&_salt="; nocase; uricontent:"&B=10&u=http"; nocase; classtype:trojan-activity; sid:2009221; rev:1;)

Added 2009-04-08 16:08:43 UTC

08:05:46.382732 IP 172.17.11.81.3194 > 76.13.216.11.80: . 2827439073:2827440333(1260) ack 3799660403 win 65535
        0x0000:  4500 0514 1272 4000 8006 07f7 ac11 0b51  E....r@........Q
        0x0010:  4c0d d80b 0c7a 0050 a887 4be1 e27a 3773  L....z.P..K..z7s
        0x0020:  5010 ffff 02c1 0000 4745 5420 2f69 6d70  P.......GET./imp
        0x0030:  3f5a 3d33 3030 7832 3530 2663 623d 3132  ?Z=300x250&cb=12
        0x0040:  3339 3238 3233 3436 3334 3233 3638 2678  39282346342368&x
        0x0050:  3d68 7474 7025 3341 2532 4625 3246 7573  =http%3A%2F%2Fus
        0x0060:  2532 4561 7264 2532 4579 6168 6f6f 2532  %2Eard%2Eyahoo%2
        0x0070:  4563 6f6d 2532 4653 4947 2533 4431 3570  Ecom%2FSIG%3D15p
        0x0080:  3937 3935 3973 2532 464d 2533 4437 3135  97959s%2FM%3D715
        0x0090:  3438 3125 3245 3133 3137 3532 3339 2532  481%2E13175239%2
        0x00a0:  4531 3333 3435 3833 3525 3245 3132 3636  E13345835%2E1266
        0x00b0:  3530 3434 2532 4644 2533 446e 6577 7325  5044%2FD%3Dnews%
        0x00c0:  3246 5325 3344 3831 3132 3134 3532 2533  2FS%3D81121452%3
        0x00d0:  414c 5245 4332 2532 4659 2533 4459 4148  ALREC2%2FY%3DYAH
        0x00e0:  4f4f 2532 4645 5850 2533 4431 3233 3932  OO%2FEXP%3D12392
        0x00f0:  3839 3534 3625 3246 4c25 3344 6c31 476a  89546%2FL%3Dl1Gj
        0x0100:  6845 534f 7852 4653 4d78 4e42 534a 4335  hESOxRFSMxNBSJC5
        0x0110:  5332 6452 4447 396e 7845 6e64 3871 6f41  S2dRDG9nxEnd8qoA
        0x0120:  4252 704e 2532 4642 2533 4457 6756 3241  BRpN%2FB%3DWgV2A
        0x0130:  4e6a 3859 6d73 2532 4425 3246 4a25 3344  Nj8Yms%2D%2FJ%3D
        0x0140:  3132 3339 3238 3233 3436 3334 3233 3638  1239282346342368
        0x0150:  2532 464b 2533 4450 3730 6a63 5376 5033  %2FK%3DP70jcSvP3
        0x0160:  4649 646f 6a50 4955 6961 4e53 4125 3246  FIdojPIUiaNSA%2F
        0x0170:  4125 3344 3535 3536 3033 3825 3246 5225  A%3D5556038%2FR%
        0x0180:  3344 3025 3246 2532 4124 2653 3d31 3331  3D0%2F%2A$&S=131
        0x0190:  3735 3233 3926 693d 3134 3034 3737 2679  75239&i=140477&y
        0x01a0:  6367 3d30 2679 796f 623d 3230 3039 267a  cg=0&yyob=2009&z
        0x01b0:  6970 3d36 3632 3036 265f 7361 6c74 3d31  ip=66206&_salt=1
        0x01c0:  3639 3336 3536 3834 3526 423d 3130 2675  693656845&B=10&u
        0x01d0:  3d68 7474 7025 3341 2532 4625 3246 7573  =http%3A%2F%2Fus
        0x01e0:  2e61 6473 6572 7665 722e 7961 686f 6f2e  .adserver.yahoo.
        0x01f0:  636f 6d25 3246 6125 3346 6625 3344 3831  com%2Fa%3Ff%3D81
        0x0200:  3132 3134 3532 2532 3670 2533 446e 6577  121452%26p%3Dnew
        0x0210:  7325 3236 6c25 3344 4c52 4543 3225 3236  s%26l%3DLREC2%26
        0x0220:  6325 3344 6825 3236 6174 2533 4463 6f6e  c%3Dh%26at%3Dcon
        0x0230:  7465 6e74 2532 3533 4425 3235 3232 6e6f  tent%253D%2522no
        0x0240:  5f65 7870 616e 6461 626c 6525 3235 3232  _expandable%2522
        0x0250:  2672 3d30 2048 5454 502f 312e 310d 0a41  &r=0.HTTP/1.1..A
        0x0260:  6363 6570 743a 202a 2f2a 0d0a 5265 6665  ccept:.*/*..Refe
        0x0270:  7265 723a 2068 7474 703a 2f2f 6164 2e79  rer:.http://ad.y
        0x0280:  6965 6c64 6d61 6e61 6765 722e 636f 6d2f  ieldmanager.com/
        0x0290:  7374 3f61 645f 7479 7065 3d69 6672 616d  st?ad_type=ifram
        0x02a0:  6526 6164 5f73 697a 653d 3330 3078 3235  e&ad_size=300x25
        0x02b0:  3026 7369 7465 3d31 3430 3437 3726 7365  0&site=140477&se
        0x02c0:  6374 696f 6e5f 636f 6465 3d31 3331 3735  ction_code=13175
        0x02d0:  3233 3926 6362 3d31 3233 3932 3832 3334  239&cb=123928234
        0x02e0:  3633 3432 3336 3826 7a69 703d 3636 3230  6342368&zip=6620
        0x02f0:  3626 7963 673d 3026 7979 6f62 3d32 3030  6&ycg=0&yyob=200
        0x0300:  3926 7075 625f 7265 6469 7265 6374 5f75  9&pub_redirect_u
        0x0310:  6e65 6e63 6f64 6564 3d31 2670 7562 5f72  nencoded=1&pub_r
        0x0320:  6564 6972 6563 743d 6874 7470 3a2f 2f75  edirect=http://u
        0x0330:  732e 6172 642e 7961 686f 6f2e 636f 6d2f  s.ard.yahoo.com/
        0x0340:  5349 473d 3135 7039 3739 3539 732f 4d3d  SIG=15p97959s/M=
        0x0350:  3731 3534 3831 2e31 3331 3735 3233 392e  715481.13175239.
        0x0360:  3133 3334 3538 3335 2e31 3236 3635 3034  13345835.1266504
        0x0370:  342f 443d 6e65 7773 2f53 3d38 3131 3231  4/D=news/S=81121
        0x0380:  3435 323a 4c52 4543 322f 593d 5941 484f  452:LREC2/Y=YAHO
        0x0390:  4f2f 4558 503d 3132 3339 3238 3935 3436  O/EXP=1239289546
        0x03a0:  2f4c 3d6c 3147 6a68 4553 4f78 5246 534d  /L=l1GjhESOxRFSM
        0x03b0:  784e 4253 4a43 3553 3264 5244 4739 6e78  xNBSJC5S2dRDG9nx
        0x03c0:  456e 6438 716f 4142 5270 4e2f 423d 5767  End8qoABRpN/B=Wg
        0x03d0:  5632 414e 6a38 596d 732d 2f4a 3d31 3233  V2ANj8Yms-/J=123
        0x03e0:  3932 3832 3334 3633 3432 3336 382f 4b3d  9282346342368/K=
        0x03f0:  5037 306a 6353 7650 3346 4964 6f6a 5049  P70jcSvP3FIdojPI
        0x0400:  5569 614e 5341 2f41 3d35 3535 3630 3338  UiaNSA/A=5556038
        0x0410:  2f52 3d30 2f2a 0d0a 4163 6365 7074 2d4c  /R=0/*..Accept-L
        0x0420:  616e 6775 6167 653a 2065 6e2d 7573 0d0a  anguage:.en-us..
        0x0430:  5541 2d43 5055 3a20 7838 360d 0a41 6363  UA-CPU:.x86..Acc
        0x0440:  6570 742d 456e 636f 6469 6e67 3a20 677a  ept-Encoding:.gz
        0x0450:  6970 2c20 6465 666c 6174 650d 0a55 7365  ip,.deflate..Use
        0x0460:  722d 4167 656e 743a 204d 6f7a 696c 6c61  r-Agent:.Mozilla
        0x0470:  2f34 2e30 2028 636f 6d70 6174 6962 6c65  /4.0.(compatible
        0x0480:  3b20 4d53 4945 2037 2e30 3b20 5769 6e64  ;.MSIE.7.0;.Wind
        0x0490:  6f77 7320 4e54 2035 2e31 3b20 4754 4235  ows.NT.5.1;.GTB5
        0x04a0:  3b20 2e4e 4554 2043 4c52 2031 2e31 2e34  ;..NET.CLR.1.1.4
        0x04b0:  3332 323b 202e 4e45 5420 434c 5220 322e  322;..NET.CLR.2.
        0x04c0:  302e 3530 3732 373b 2049 6e66 6f50 6174  0.50727;.InfoPat
        0x04d0:  682e 313b 202e 4e45 5420 434c 5220 332e  h.1;..NET.CLR.3.
        0x04e0:  302e 3034 3530 362e 3330 3b20 4945 4d42  0.04506.30;.IEMB
        0x04f0:  333b 2049 454d 4233 290d 0a48 6f73 743a  3;.IEMB3)..Host:
        0x0500:  2061 642e 7969 656c 646d 616e 6167 6572  .ad.yieldmanager
        0x0510:  2e63 6f6d                                .com

-- JackPepper - 09 Apr 2009

08:05:46.382732 IP 172.17.11.81.3194 > 76.13.216.11.80: . 2827439073:2827440333(1260) ack 3799660403 win 65535
        0x0000:  4500 0514 1272 4000 8006 07f7 ac11 0b51  E....r@........Q
        0x0010:  4c0d d80b 0c7a 0050 a887 4be1 e27a 3773  L....z.P..K..z7s
        0x0020:  5010 ffff 02c1 0000 4745 5420 2f69 6d70  P.......GET./imp
        0x0030:  3f5a 3d33 3030 7832 3530 2663 623d 3132  ?Z=300x250&cb=12
        0x0040:  3339 3238 3233 3436 3334 3233 3638 2678  39282346342368&x
        0x0050:  3d68 7474 7025 3341 2532 4625 3246 7573  =http%3A%2F%2Fus
        0x0060:  2532 4561 7264 2532 4579 6168 6f6f 2532  %2Eard%2Eyahoo%2
        0x0070:  4563 6f6d 2532 4653 4947 2533 4431 3570  Ecom%2FSIG%3D15p
        0x0080:  3937 3935 3973 2532 464d 2533 4437 3135  97959s%2FM%3D715
        0x0090:  3438 3125 3245 3133 3137 3532 3339 2532  481%2E13175239%2
        0x00a0:  4531 3333 3435 3833 3525 3245 3132 3636  E13345835%2E1266
        0x00b0:  3530 3434 2532 4644 2533 446e 6577 7325  5044%2FD%3Dnews%
        0x00c0:  3246 5325 3344 3831 3132 3134 3532 2533  2FS%3D81121452%3
        0x00d0:  414c 5245 4332 2532 4659 2533 4459 4148  ALREC2%2FY%3DYAH
        0x00e0:  4f4f 2532 4645 5850 2533 4431 3233 3932  OO%2FEXP%3D12392
        0x00f0:  3839 3534 3625 3246 4c25 3344 6c31 476a  89546%2FL%3Dl1Gj
        0x0100:  6845 534f 7852 4653 4d78 4e42 534a 4335  hESOxRFSMxNBSJC5
        0x0110:  5332 6452 4447 396e 7845 6e64 3871 6f41  S2dRDG9nxEnd8qoA
        0x0120:  4252 704e 2532 4642 2533 4457 6756 3241  BRpN%2FB%3DWgV2A
        0x0130:  4e6a 3859 6d73 2532 4425 3246 4a25 3344  Nj8Yms%2D%2FJ%3D
        0x0140:  3132 3339 3238 3233 3436 3334 3233 3638  1239282346342368
        0x0150:  2532 464b 2533 4450 3730 6a63 5376 5033  %2FK%3DP70jcSvP3
        0x0160:  4649 646f 6a50 4955 6961 4e53 4125 3246  FIdojPIUiaNSA%2F
        0x0170:  4125 3344 3535 3536 3033 3825 3246 5225  A%3D5556038%2FR%
        0x0180:  3344 3025 3246 2532 4124 2653 3d31 3331  3D0%2F%2A$&S=131
        0x0190:  3735 3233 3926 693d 3134 3034 3737 2679  75239&i=140477&y
        0x01a0:  6367 3d30 2679 796f 623d 3230 3039 267a  cg=0&yyob=2009&z
        0x01b0:  6970 3d36 3632 3036 265f 7361 6c74 3d31  ip=66206&_salt=1
        0x01c0:  3639 3336 3536 3834 3526 423d 3130 2675  693656845&B=10&u
        0x01d0:  3d68 7474 7025 3341 2532 4625 3246 7573  =http%3A%2F%2Fus
        0x01e0:  2e61 6473 6572 7665 722e 7961 686f 6f2e  .adserver.yahoo.
        0x01f0:  636f 6d25 3246 6125 3346 6625 3344 3831  com%2Fa%3Ff%3D81
        0x0200:  3132 3134 3532 2532 3670 2533 446e 6577  121452%26p%3Dnew
        0x0210:  7325 3236 6c25 3344 4c52 4543 3225 3236  s%26l%3DLREC2%26
        0x0220:  6325 3344 6825 3236 6174 2533 4463 6f6e  c%3Dh%26at%3Dcon
        0x0230:  7465 6e74 2532 3533 4425 3235 3232 6e6f  tent%253D%2522no
        0x0240:  5f65 7870 616e 6461 626c 6525 3235 3232  _expandable%2522
        0x0250:  2672 3d30 2048 5454 502f 312e 310d 0a41  &r=0.HTTP/1.1..A
        0x0260:  6363 6570 743a 202a 2f2a 0d0a 5265 6665  ccept:.*/*..Refe
        0x0270:  7265 723a 2068 7474 703a 2f2f 6164 2e79  rer:.http://ad.y
        0x0280:  6965 6c64 6d61 6e61 6765 722e 636f 6d2f  ieldmanager.com/
        0x0290:  7374 3f61 645f 7479 7065 3d69 6672 616d  st?ad_type=ifram
        0x02a0:  6526 6164 5f73 697a 653d 3330 3078 3235  e&ad_size=300x25
        0x02b0:  3026 7369 7465 3d31 3430 3437 3726 7365  0&site=140477&se
        0x02c0:  6374 696f 6e5f 636f 6465 3d31 3331 3735  ction_code=13175
        0x02d0:  3233 3926 6362 3d31 3233 3932 3832 3334  239&cb=123928234
        0x02e0:  3633 3432 3336 3826 7a69 703d 3636 3230  6342368&zip=6620
        0x02f0:  3626 7963 673d 3026 7979 6f62 3d32 3030  6&ycg=0&yyob=200
        0x0300:  3926 7075 625f 7265 6469 7265 6374 5f75  9&pub_redirect_u
        0x0310:  6e65 6e63 6f64 6564 3d31 2670 7562 5f72  nencoded=1&pub_r
        0x0320:  6564 6972 6563 743d 6874 7470 3a2f 2f75  edirect=http://u
        0x0330:  732e 6172 642e 7961 686f 6f2e 636f 6d2f  s.ard.yahoo.com/
        0x0340:  5349 473d 3135 7039 3739 3539 732f 4d3d  SIG=15p97959s/M=
        0x0350:  3731 3534 3831 2e31 3331 3735 3233 392e  715481.13175239.
        0x0360:  3133 3334 3538 3335 2e31 3236 3635 3034  13345835.1266504
        0x0370:  342f 443d 6e65 7773 2f53 3d38 3131 3231  4/D=news/S=81121
        0x0380:  3435 323a 4c52 4543 322f 593d 5941 484f  452:LREC2/Y=YAHO
        0x0390:  4f2f 4558 503d 3132 3339 3238 3935 3436  O/EXP=1239289546
        0x03a0:  2f4c 3d6c 3147 6a68 4553 4f78 5246 534d  /L=l1GjhESOxRFSM
        0x03b0:  784e 4253 4a43 3553 3264 5244 4739 6e78  xNBSJC5S2dRDG9nx
        0x03c0:  456e 6438 716f 4142 5270 4e2f 423d 5767  End8qoABRpN/B=Wg
        0x03d0:  5632 414e 6a38 596d 732d 2f4a 3d31 3233  V2ANj8Yms-/J=123
        0x03e0:  3932 3832 3334 3633 3432 3336 382f 4b3d  9282346342368/K=
        0x03f0:  5037 306a 6353 7650 3346 4964 6f6a 5049  P70jcSvP3FIdojPI
        0x0400:  5569 614e 5341 2f41 3d35 3535 3630 3338  UiaNSA/A=5556038
        0x0410:  2f52 3d30 2f2a 0d0a 4163 6365 7074 2d4c  /R=0/*..Accept-L
        0x0420:  616e 6775 6167 653a 2065 6e2d 7573 0d0a  anguage:.en-us..
        0x0430:  5541 2d43 5055 3a20 7838 360d 0a41 6363  UA-CPU:.x86..Acc
        0x0440:  6570 742d 456e 636f 6469 6e67 3a20 677a  ept-Encoding:.gz
        0x0450:  6970 2c20 6465 666c 6174 650d 0a55 7365  ip,.deflate..Use
        0x0460:  722d 4167 656e 743a 204d 6f7a 696c 6c61  r-Agent:.Mozilla
        0x0470:  2f34 2e30 2028 636f 6d70 6174 6962 6c65  /4.0.(compatible
        0x0480:  3b20 4d53 4945 2037 2e30 3b20 5769 6e64  ;.MSIE.7.0;.Wind
        0x0490:  6f77 7320 4e54 2035 2e31 3b20 4754 4235  ows.NT.5.1;.GTB5
        0x04a0:  3b20 2e4e 4554 2043 4c52 2031 2e31 2e34  ;..NET.CLR.1.1.4
        0x04b0:  3332 323b 202e 4e45 5420 434c 5220 322e  322;..NET.CLR.2.
        0x04c0:  302e 3530 3732 373b 2049 6e66 6f50 6174  0.50727;.InfoPat
        0x04d0:  682e 313b 202e 4e45 5420 434c 5220 332e  h.1;..NET.CLR.3.
        0x04e0:  302e 3034 3530 362e 3330 3b20 4945 4d42  0.04506.30;.IEMB
        0x04f0:  333b 2049 454d 4233 290d 0a48 6f73 743a  3;.IEMB3)..Host:
        0x0500:  2061 642e 7969 656c 646d 616e 6167 6572  .ad.yieldmanager
        0x0510:  2e63 6f6d                                .com

-- JackPepper - 09 Apr 2009

This seems to be generating all sorts of alerts for my network. There don't appear to be any BHOs installed. They just look like ads from sites like ebaumsworld.com or failblog.org

-- AllanKlein - 10 Apr 2009


Topic revision: r4 - 2009-04-10 - AllanKlein
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats