alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet"; flow:established,to_server; content:"|3f 33 7a f8 b5 df 0e 28 cb 58 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f|"; offset:0; classtype:unknown; reference:url,doc.bleedingthreats.net/2003460; sid:2003460; rev:2;)
Auto-added on 2007-03-02 16:30:46 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet"; flow:established,to_server; content:"|3f 33 7a f8 b5 df 0e 28 cb 58 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f|"; offset:0; classtype:unknown; reference:url,doc.bleedingthreats.net/2003460; sid:2003460; rev:2;)
Auto-added on 2007-03-01 14:30:59 UTC
Changed dsize to an offset. Seeing larger packets.
--
MattJonkman - 01 Mar 2007
Found an unusual packet from the C&C to the bot. 96 bytes:
0000 00 0c 29 13 0a 7b 00 0e 0c 33 1c 34 08 00 45 00 ..)..{...3.4..E.
0010 00 88 37 bc 40 00 71 06 42 36 c1 5a 8b d2 0a 37 ..7.@.q.B6.Z...7
0020 38 1a 0d 84 04 04 38 44 6f ea d7 e6 9b bd 50 18 8.....8Do.....P.
0030 fc 9f 96 e9 00 00 ce 01 36 f6 88 7b 94 0d c5 f9 ........6..{....
0040 10 bf a4 e5 05 de fd ba cd 4f b9 91 db 10 5e 6f .........O....^o
0050 81 93 12 b3 59 d0 60 f3 c7 47 da b8 c2 1e 96 40 ....Y.`..G.....@
0060 d0 bf 9a 90 19 b0 ce 01 36 f6 88 7b 94 0d c5 f9 ........6..{....
0070 10 bf a4 e5 05 de fd ba cd 4f b9 91 db 10 5e 6f .........O....^o
0080 81 93 12 b3 59 d0 60 f3 c7 47 da b8 c2 1e 96 40 ....Y.`..G.....@
0090 d0 bf 9a 90 19 b0 ......
--
MattJonkman - 01 Mar 2007
Another different outbound packet:
0000 00 0e 0c 33 1c 34 00 0c 29 13 0a 7b 08 00 45 00 ...3.4..)..{..E.
0010 00 58 06 e5 40 00 80 06 64 3d 0a 37 38 1a c1 5a .X..@...d=.78..Z
0020 8b d2 04 04 0d 84 d7 e6 9b ed 38 44 70 4a 50 18 ..........8DpJP.
0030 f6 10 17 01 00 00 d5 e7 b8 b7 f8 f9 9d 65 45 87 .............eE.
0040 b9 73 c7 3e a8 b2 1f 72 4a 60 d3 6f 92 7b 42 8f .s.>...rJ`.o.{B.
0050 08 80 ae 17 bd 42 12 85 0c 10 38 91 ff 99 0c 59 .....B....8....Y
0060 64 5f 6a 72 99 23 d_jr.#
--
MattJonkman - 01 Mar 2007
C&C at letsgetready.no-ip.biz (Currently 193.90.139.210) is down. Will have to watch where it goes to...
--
MattJonkman - 01 Mar 2007
DNS moved to:
letsgetready.no-ip.biz (143.215.15.115)
Dead also. Gatech.edu.ip.
--
MattJonkman - 02 Mar 2007
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet"; flow:established,to_server; dsize:48; content:"|3f 33 7a f8 b5 df 0e 28 cb 58 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f|"; classtype:unknown; reference:url,doc.bleedingthreats.net/2003460; sid:2003460; rev:1;)
Auto-added on 2007-03-01 05:52:13 UTC
Unknown bot. Seeing outbound C&C looking packets on port 3460 like this:
0000 00 0e 0c 33 1c 34 00 0c 29 13 0a 7b 08 00 45 00 ...3.4..)..{..E.
0010 00 58 00 3d 40 00 80 06 6a e5 0a 37 38 1a c1 5a .X.=@...j..78..Z
0020 8b d2 04 04 0d 84 7e 86 e5 be 91 34 9f 64 50 18 ......~....4.dP.
0030 f6 48 c9 7c 00 00 3f 33 7a f8 b5 df 0e 28 cb 58 .H.|..?3z....(.X
0040 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f ]......rJ`.o.{B.
0050 08 80 ae 17 bd 42 f9 ca 5f 25 a6 24 1a 96 76 97 .....B.._%.$..v.
0060 52 c5 ea 20 c1 ce R.. ..
or
0000 00 0e 0c 33 1c 34 00 0c 29 13 0a 7b 08 00 45 00 ...3.4..)..{..E.
0010 00 58 01 ff 40 00 80 06 69 23 0a 37 38 1a c1 5a .X..@...i#.78..Z
0020 8b d2 04 04 0d 84 7e 87 05 fe 91 34 bf a4 50 18 ......~....4..P.
0030 f9 10 8b d8 00 00 3f 33 7a f8 b5 df 0e 28 cb 58 ......?3z....(.X
0040 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f ]......rJ`.o.{B.
0050 08 80 ae 17 bd 42 ce e7 19 57 47 76 b8 21 f2 39 .....B...WGv.!.9
0060 42 45 3d 6e 2f 8f BE=n/.
And return packets like so:
0000 00 0c 29 13 0a 7b 00 0e 0c 33 1c 34 08 00 45 00 ..)..{...3.4..E.
0010 00 28 29 fb 40 00 71 06 50 57 c1 5a 8b d2 0a 37 .().@.q.PW.Z...7
0020 38 1a 0d 84 04 04 91 34 9f 64 7e 86 e5 ee 50 10 8......4.d~...P.
0030 fd 8f 7c 30 00 00 00 00 00 00 00 00 ..|0........
More as we get it... Please report hits
--
MattJonkman - 01 Mar 2007
After running for some time, the only variations in packets are in outbound from the bot to the controller. Here are 3 separate payloads.
3f 33 7a f8 b5 df 0e 28 cb 58 .0.8..?3z....(.X
0040 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f ]......rJ`.o.{B.
0050 08 80 ae 17 bd 42 ce e7 19 57 47 76 b8 21 f2 39 .....B...WGv.!.9
0060 42 45 3d 6e 2f 8f BE=n/.
3f 33 7a f8 b5 df 0e 28 cb 58 .H.|..?3z....(.X
0040 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f ]......rJ`.o.{B.
0050 08 80 ae 17 bd 42 f9 ca 5f 25 a6 24 1a 96 76 97 .....B.._%.$..v.
0060 52 c5 ea 20 c1 ce R.. ..
3f 33 7a f8 b5 df 0e 28 cb 58 .p.y..?3z....(.X
0040 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f ]......rJ`.o.{B.
0050 08 80 ae 17 bd 42 12 85 0c 10 38 91 ff 99 0c 59 .....B....8....Y
0060 64 5f 6a 72 99 23 d_jr.#
The last 16 bytes are all that change. The signature will continue to catch these.
--
MattJonkman - 01 Mar 2007