Trojan Emogen

Interesting Command and Control channel. Sids 2008269 and 2008270 detect it.

It starts out with a heavily 00 padded packet that has the username, computername, OS type, and the number 20080101. The server never responds with data. The client then does keepalives that are just 4 byte packets containing "test".

-- MattJonkman - 29 May 2008

Topic revision: r1 - 2008-05-29 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats