Home page logo

snort logo Snort mailing list archives

Namihno Trojan
From: Paul Bottomley <Paul.Bottomley () betfair com>
Date: Mon, 20 May 2013 14:17:27 +0000

Sorry don't have a reference for this (Intel was received through our TI provider).

"The following URI is hard-coded into the sample and used to construct the HTTP C2 request:
URI parameters within the HTTP request contain the Base64-encoded hostname and IP address of the victim's computer."

I've assumed all occurrences of %s are Base64 but I can't get the rule to fire when a '+' occurs within the character 
class (using \x2b)- not sure why? I've also probably escaped some characters that don't need escaping.

Anyway, here is the rule I've created. Feel free to modify if you like.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[C2] Namihno Trojan CnC Request"; 
flow:established,to_server; content:"/windows/update/search?hl="; fast_pattern:only; http_uri; 
 classtype:trojan-activity; sid:xxxxx; rev:1;)


In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]