This backdoor/trojan uses an encrypted/obfuscated command and control connection on port 80. Does an intial checkin where the client sends just the binary string |00 02 5e 3b 5a 86 b9 05| and more, 18 bytes total. The server makes no reply, just ack's the conn and closes.
The client then a few moments later makes a second connection, first packet starts out |00 03 b9 70 cb 70|..., 26 bytes total. The server then sends back two packets, first starts out |00 04 0f 9a|, 34 bytes. The second is |00 01 e4 8a 1a| ..., 10 bytes total. Sometimes the client then begins a download of apparent executables, sometimes it replies with |00 07 e4|... 58 byte packet.
Rules 2007588-2007591 detect this using a set of flowbits on the second connection. This should be reliable and low load, well anchored.
- 31 Aug 2007