EmergingThreats> Main Web>2003460 (2007-03-02, MattJonkman) EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet"; flow:established,to_server; content:"|3f 33 7a f8 b5 df 0e 28 cb 58 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f|"; offset:0; classtype:unknown; reference:url,doc.bleedingthreats.net/2003460; sid:2003460; rev:2;)

Auto-added on 2007-03-02 16:30:46 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet"; flow:established,to_server; content:"|3f 33 7a f8 b5 df 0e 28 cb 58 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f|"; offset:0; classtype:unknown; reference:url,doc.bleedingthreats.net/2003460; sid:2003460; rev:2;)

Auto-added on 2007-03-01 14:30:59 UTC

Changed dsize to an offset. Seeing larger packets.

-- MattJonkman - 01 Mar 2007

Found an unusual packet from the C&C to the bot. 96 bytes: 

 0000   00 0c 29 13 0a 7b 00 0e 0c 33 1c 34 08 00 45 00  ..)..{...3.4..E.
 0010   00 88 37 bc 40 00 71 06 42 36 c1 5a 8b d2 0a 37  ..7.@.q.B6.Z...7
 0020   38 1a 0d 84 04 04 38 44 6f ea d7 e6 9b bd 50 18  8.....8Do.....P.
 0030   fc 9f 96 e9 00 00 ce 01 36 f6 88 7b 94 0d c5 f9  ........6..{....
 0040   10 bf a4 e5 05 de fd ba cd 4f b9 91 db 10 5e 6f  .........O....^o
 0050   81 93 12 b3 59 d0 60 f3 c7 47 da b8 c2 1e 96 40  ....Y.`..G.....@
 0060   d0 bf 9a 90 19 b0 ce 01 36 f6 88 7b 94 0d c5 f9  ........6..{....
 0070   10 bf a4 e5 05 de fd ba cd 4f b9 91 db 10 5e 6f  .........O....^o
 0080   81 93 12 b3 59 d0 60 f3 c7 47 da b8 c2 1e 96 40  ....Y.`..G.....@
 0090   d0 bf 9a 90 19 b0                                ......

-- MattJonkman - 01 Mar 2007

Another different outbound packet: 

 0000   00 0e 0c 33 1c 34 00 0c 29 13 0a 7b 08 00 45 00  ...3.4..)..{..E.
 0010   00 58 06 e5 40 00 80 06 64 3d 0a 37 38 1a c1 5a  .X..@...d=.78..Z
 0020   8b d2 04 04 0d 84 d7 e6 9b ed 38 44 70 4a 50 18  ..........8DpJP.
 0030   f6 10 17 01 00 00 d5 e7 b8 b7 f8 f9 9d 65 45 87  .............eE.
 0040   b9 73 c7 3e a8 b2 1f 72 4a 60 d3 6f 92 7b 42 8f  .s.>...rJ`.o.{B.
 0050   08 80 ae 17 bd 42 12 85 0c 10 38 91 ff 99 0c 59  .....B....8....Y
 0060   64 5f 6a 72 99 23                                d_jr.#

-- MattJonkman - 01 Mar 2007

C&C at letsgetready.no-ip.biz (Currently 193.90.139.210) is down. Will have to watch where it goes to...

-- MattJonkman - 01 Mar 2007

DNS moved to: letsgetready.no-ip.biz (143.215.15.115)

Dead also. Gatech.edu.ip.

-- MattJonkman - 02 Mar 2007

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet"; flow:established,to_server; dsize:48; content:"|3f 33 7a f8 b5 df 0e 28 cb 58 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f|"; classtype:unknown; reference:url,doc.bleedingthreats.net/2003460; sid:2003460; rev:1;)

Auto-added on 2007-03-01 05:52:13 UTC

Unknown bot. Seeing outbound C&C looking packets on port 3460 like this: 

  0000   00 0e 0c 33 1c 34 00 0c 29 13 0a 7b 08 00 45 00  ...3.4..)..{..E.
  0010   00 58 00 3d 40 00 80 06 6a e5 0a 37 38 1a c1 5a  .X.=@...j..78..Z
  0020   8b d2 04 04 0d 84 7e 86 e5 be 91 34 9f 64 50 18  ......~....4.dP.
  0030   f6 48 c9 7c 00 00 3f 33 7a f8 b5 df 0e 28 cb 58  .H.|..?3z....(.X
  0040   5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f  ]......rJ`.o.{B.
  0050   08 80 ae 17 bd 42 f9 ca 5f 25 a6 24 1a 96 76 97  .....B.._%.$..v.
  0060   52 c5 ea 20 c1 ce                                R.. ..

or 

  0000   00 0e 0c 33 1c 34 00 0c 29 13 0a 7b 08 00 45 00  ...3.4..)..{..E.
  0010   00 58 01 ff 40 00 80 06 69 23 0a 37 38 1a c1 5a  .X..@...i#.78..Z
  0020   8b d2 04 04 0d 84 7e 87 05 fe 91 34 bf a4 50 18  ......~....4..P.
  0030   f9 10 8b d8 00 00 3f 33 7a f8 b5 df 0e 28 cb 58  ......?3z....(.X
  0040   5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f  ]......rJ`.o.{B.
  0050   08 80 ae 17 bd 42 ce e7 19 57 47 76 b8 21 f2 39  .....B...WGv.!.9
  0060   42 45 3d 6e 2f 8f                                BE=n/.
  
  
  And return packets like so:
  
  0000   00 0c 29 13 0a 7b 00 0e 0c 33 1c 34 08 00 45 00  ..)..{...3.4..E.
  0010   00 28 29 fb 40 00 71 06 50 57 c1 5a 8b d2 0a 37  .().@.q.PW.Z...7
  0020   38 1a 0d 84 04 04 91 34 9f 64 7e 86 e5 ee 50 10  8......4.d~...P.
  0030   fd 8f 7c 30 00 00 00 00 00 00 00 00              ..|0........

More as we get it... Please report hits

-- MattJonkman - 01 Mar 2007

After running for some time, the only variations in packets are in outbound from the bot to the controller. Here are 3 separate payloads. 

                           3f 33 7a f8 b5 df 0e 28 cb 58  .0.8..?3z....(.X
  0040   5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f  ]......rJ`.o.{B.
  0050   08 80 ae 17 bd 42 ce e7 19 57 47 76 b8 21 f2 39  .....B...WGv.!.9
  0060   42 45 3d 6e 2f 8f                                BE=n/.
  
                           3f 33 7a f8 b5 df 0e 28 cb 58  .H.|..?3z....(.X
  0040   5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f  ]......rJ`.o.{B.
  0050   08 80 ae 17 bd 42 f9 ca 5f 25 a6 24 1a 96 76 97  .....B.._%.$..v.
  0060   52 c5 ea 20 c1 ce                                R.. ..
  
                           3f 33 7a f8 b5 df 0e 28 cb 58  .p.y..?3z....(.X
  0040   5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f  ]......rJ`.o.{B.
  0050   08 80 ae 17 bd 42 12 85 0c 10 38 91 ff 99 0c 59  .....B....8....Y
  0060   64 5f 6a 72 99 23                                d_jr.#

The last 16 bytes are all that change. The signature will continue to catch these.

-- MattJonkman - 01 Mar 2007

Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2007-03-02 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats