++Trojan.Dropper-497

Interesting dropper. It uses an http-like channel to checkin and post stats about the system. A checkin starts with the client connecting to the controller in this case on port 8181. It pushes |30 30 30 0d 0a|. Then:

0000   00 00 00 83 3c 47 52 3e 41 d7 e9 3c 2f 47 52 3e  ....<GR>A..</GR>
0010   3c 49 4d 3e 32 35 3c 2f 49 4d 3e 3c 4e 41 3e 42  <IM>25</IM><NA>B
0020   4f 42 31 30 3c 2f 4e 41 3e 3c 43 53 3e c4 da cd  OB10</NA><CS>...
0030   f8 3c 2f 43 53 3e 3c 4f 53 3e 57 69 6e 58 50 3c  .</CS><OS>WinXP<
0040   2f 4f 53 3e 3c 43 50 55 3e 31 35 39 36 20 4d 48  /OS><CPU>1596 MH
0050   7a 3c 2f 43 50 55 3e 3c 4d 45 4d 3e 32 31 31 4d  z</CPU><MEM>211M
0060   42 3c 2f 4d 45 4d 3e 3c 53 50 3e ce de ca d3 c6  B</MEM><SP>.....
0070   b5 3c 2f 53 50 3e 3c 42 5a 3e b1 b8 d7 a2 c4 da  .</SP><BZ>......
0080   c8 dd 3c 2f 42 5a 3e                             ..</BZ>

Interesting html-like tags used. The controller responds with |31 39 0d 0a|. Then in a separate packet pushes back:

0000   59 55 4d 41 54 4f 0d 0a 31 32 33 34 0d 0a 30 30  YUMATO..1234..00
0010   30 0d 0a                                         0..

And then another packet from the server a |32 31 0d 0a|.

And again from the server:

0000   59 55 4d 41 54 4f 0d 0a 31 32 33 34 0d 0a 30 37  YUMATO..1234..07
0010   30 0d 0a 0d 0a                                   0....

Then from the server |32 32 0d 0a|.

And on and on. Seems to be keepalive kind of status after this.

Sigs 2007917, 2007918, 2007919 and 2007920 should catch this on any high port.

Re sample 4ee001f20beaeb1bf7bb3335491843c6

-- MattJonkman - 05 Mar 2008

Topic revision: r2 - 2008-07-11 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats