Re: Doing the KanKan

[Joel Esler <jesler () sourcefire com>]

Thanks James. Is sent this over to Carlos on our team to take a look. 


--
Joel Esler
Sent from my iPad

> On Oct 11, 2013, at 6:43 PM, James Lay <jlay () slave-tothe-box net> wrote:
>
> Looks like it's gone down in usage, but didn't see anything in the 
> current rulesets:
>
> alert udp any any -> any 53 (msg:"MALWARE-OTHER Win32.KanKan stat 
> server DNS lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 
> 00|"; depth:10; offset:2; 
> content:"|07|kkyouxi|04|stat|06|kankan|03|com"; fast_pattern:only; 
> metadata:policy balanced-ips drop, policy security-ips drop, service 
> dns, ruleset community; 
> reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
> classtype:trojan-activity; sid:10000102; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"MALWARE-OTHER Win32.KanKan officeaddinupdate download"; 
> flow:to_server,established; content:"|2f|officeaddinupdate.xml"; 
> http_uri; fast_pattern:only; content:"Host:|20|update.kklm.n0808.com"; 
> http_header; metadata:policy balanced-ips drop, policy security-ips 
> drop, service http, ruleset community; 
> reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
> classtype:trojan-activity; sid:10000103; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"MALWARE-OTHER Win32.KanKan tools.ini download"; 
> flow:to_server,established; content:"|2f|tools.ini"; http_uri; 
> fast_pattern:only; content:"Host:|20|conf.kklm.n0808.com"; http_header; 
> metadata:policy balanced-ips drop, policy security-ips drop, service 
> http, ruleset community; 
> reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
> classtype:trojan-activity; sid:10000104; rev:1;)
>
> From the link:  "In this case the installer begins by contacting the 
> hard-coded domain kkyouxi.stat.kankan.com to report the initiation of 
> the installation." which doesn't tell me exactly how, or what URI so I 
> DNS'd it instead.  Betting these won't be useful for long, but maybe it 
> will help someone.
>
> James
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!