r1 - 17 Oct 2008 - 21:21:34 - MattJonkmanYou are here: TWiki > 
Main Web > MalwareDocs > BackdoorWin32Assasin
Main Web > MalwareDocs > BackdoorWin32AssasinBackdoor.Win32.Assasin.20.C
Associated with sigs 2008675 , 2008676 , and 2008677 Re sample c6f326609487aaae451366728ec5cdd9 Interesting CnC?. Opens several connections on ports between 90-100. The easiest to sig was on port 01 and looks like a report/keepalive connection like so:110000351^*192.168.XX.XX^\Share^2^HOME-XXXXXXXXX\bob^0^oz7x~?a 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16 10000000^* 10000002^*16See, easy to sig. Those sigs ought to catch it. Will watch for variants using other port ranges. Matt -- MattJonkman - 17 Oct 2008
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback