From robby.lists at gmail.com Tue Mar 4 15:09:21 2008 From: robby.lists at gmail.com (dajackman) Date: Tue Mar 4 15:10:43 2008 Subject: [Bleeding-sigs] Agent Alt hits - Followup In-Reply-To: <20071018071909.ywyzbw3sgow00wsg@mail.afferentsecurity.com> References: <20071016081541.bp4rxxrmgcg8kk44@mail.afferentsecurity.com> <20071016111854.kgtu4dennk4okkc0@mail.afferentsecurity.com> <4716E91F.5000102@jonkmans.com> <20071018071909.ywyzbw3sgow00wsg@mail.afferentsecurity.com> Message-ID: <78b16a340803040709p68cddfddtb071be245ace360f@mail.gmail.com> I am. What I am seeing I don't think is Agent ALT. None of my hosts have any similarities to what info I can find on Agent.ALT. I am only seeing sid:2007591 fire. I haven't seen any others in this group of sigs: sid:2007588, sid:2007589, or sid:2007590. Each payload is the same: Payload Length: 10 000 : 00 01 00 00 02 02 44 01 00 3B ......D..; All of these are from various banner ad servers. Anyone else still seeing these? On 10/18/07, Jack Pepper wrote: > Quoting Matt Jonkman : > > > Can you share a packet? > > > > > Sure, a couple thousand if you like .... > > Agent ALT analyis (for the period 10/15/07@3am - 10/16/07@3am) > 209.249.142.9 -> 10.10.1.12 TROJAN Win32 Agent.ALT C&C Checkin > Connection in Progress > 4.71.104.187 -> 10.40.32.206 TROJAN Win32 Agent.ALT C&C Checkin > Connection in Progress > 64.154.81.197 -> 10.40.34.86 TROJAN Win32 Agent.ALT C&C Checkin > Connection in Progress > 64.154.81.197 -> 10.70.50.85 TROJAN Win32 Agent.ALT C&C Checkin > Connection in Progress > 64.154.82.224 -> 10.40.33.76 TROJAN Win32 Agent.ALT C&C Checkin > Connection in Progress > 64.154.82.72 -> 10.40.34.23 TROJAN Win32 Agent.ALT C&C Checkin > Connection in Progress > 168.75.68.97 -> 10.40.33.235 TROJAN Win32 Agent.ALT C&C > Checkin Connection in Progress > > so of the 'outside' hosts, what are they? > 209.249.142.9 -> "Revenue Science Corporation". Targeted marketing > firm, sells software to the online marketing industry, including > browser helper objects, among many other products. > 4.71.104.187 -> "QuestionMarket.com" a known distribution site > 64.154.81.197 -> "HitBox Server" is a known "utility service" for counters > 64.154.82.224 -> Another "HitBox Server". > 168.75.68.97 -> "Clear Blue Technology". Hosting Company. Could be anything. > 64.154.82.72 -> Another "HitBox Server". > > Let's take it apart, starting with the "unknown" host at "Clear Blue" > (168.75.68.97): > 08:12:34.769889 IP 168.75.68.97.80 > 10.40.33.235.1967: P > 3140372189:3140372199(10) ack > 2462837258 win 12600 > 0x0000: 4500 0032 0825 4000 3506 24e2 a84b 4461 E..2.%@.5.$..KDa > 0x0010: 0a28 21eb 0050 07af bb2e 46dd 92cb ea0a .(!..P....F..... > 0x0020: 5018 3138 98aa 0000 0001 0000 0202 4401 P.18..........D. > 0x0030: 003b .; > 12:19:58.344071 IP 168.75.68.97.80 > 10.10.1.178.4451: P > 2859405698:2859405708(10) ack > 1856371176 win 7560 > 0x0000: 4500 0032 622b 4000 3506 eb32 a84b 4461 E..2b+@.5..2.KDa > 0x0010: 0a0a 01b2 0050 1163 aa6f 1182 6ea5 f9e8 .....P.c.o..n... > 0x0020: 5018 1d88 1d60 0000 0001 0000 0202 4401 P....`........D. > 0x0030: 003b .; > 13:32:36.240369 IP 168.75.68.97.80 > 10.40.32.181.4079: P > 3677760917:3677760927(10) ack > 383641718 win 11040 > 0x0000: 4500 0032 2e69 4000 3506 ffd3 a84b 4461 E..2.i@.5....KDa > 0x0010: 0a28 20b5 0050 0fef db36 2d95 16dd e876 .(...P...6-....v > 0x0020: 5018 2b20 0e7b 0000 0001 0000 0202 4401 P.+..{........D. > 0x0030: 003b .; > 16:39:06.129241 IP 168.75.68.97.80 > 10.40.34.29.3199: P > 979095712:979095722(10) ack > 2179211625 win 11040 > 0x0000: 4500 0032 d0fb 4000 3506 5bd9 a84b 4461 E..2..@.5.[..KDa > 0x0010: 0a28 221d 0050 0c7f 3a5b d0a0 81e4 2169 .("..P..:[....!i > 0x0020: 5018 2b20 6a59 0000 0001 0000 0202 4401 P.+.jY........D. > 0x0030: 003b .; > 16:39:36.999439 IP 168.75.68.97.80 > 10.40.34.29.3214: P > 3429252465:3429252475(10) ack > 2313734872 win 11040 > 0x0000: 4500 0032 933e 4000 3506 9996 a84b 4461 E..2.>@.5....KDa > 0x0010: 0a28 221d 0050 0c8e cc66 3d71 89e8 cad8 .("..P...f=q.... > 0x0020: 5018 2b20 b9fa 0000 0001 0000 0202 4401 P.+...........D. > 0x0030: 003b .; > > So we do have multiple hosts on the inside network talking to this > same address. > > Do a nslookup on js.revsci.net: > js.revsci.net canonical name = js.lb-revsci.net. > Name: js.lb-revsci.net > Address: 168.75.68.97 > Name: js.lb-revsci.net > Address: 206.191.161.97 > Name: js.lb-revsci.net > Address: 209.249.142.9 > Name: js.lb-revsci.net > Address: 209.249.142.97 > Name: js.lb-revsci.net > Address: 38.96.134.241 > The domain "revsci.net" is of course owned by Revenue Science. This > host, 168.75.68.97, is a "tracking data" collection site. > > > > In this other case, we caught the download of the browser helper > object, downloaded from the same site at "clear blue": > 14:01:03.659262 IP 10.40.33.22.3736 > 168.75.68.97.80: P > 3489417517:3489418851(1334) ack > 3701690791 win 65535 > 0x0000: 4500 055e 0470 4000 7f06 da3f 0a28 2116 E..^.p@....?.(!. > 0x0010: a84b 4461 0e98 0050 cffc 492d dca3 51a7 .KDa...P..I-..Q. > 0x0020: 5018 ffff 9fc0 0000 4745 5420 2f63 6f6d P.......GET./com > 0x0030: 6d6f 6e2f 7063 782e 6a73 3f74 6d70 6c3d mon/pcx.js?tmpl= > 0x0040: 6164 3326 6373 6964 3d43 3035 3530 3326 ad3&csid=C05503& > 0x0050: 6b6f 3d32 3030 375f 3130 5f31 355f 5f31 ko=2007_10_15__1 > 0x0060: 2048 5454 502f 312e 310d 0a41 6363 6570 .HTTP/1.1..Accep > 0x0070: 743a 202a 2f2a 0d0a 5265 6665 7265 723a t:.*/*..Referer: > 0x0080: 2068 7474 703a 2f2f 7777 772e 6b63 7476 .http://www.kctv > 0x0090: 352e 636f 6d2f 696e 6465 782e 6874 6d6c 5.com/index.html > 0x00a0: 0d0a 4163 6365 7074 2d4c 616e 6775 6167 ..Accept-Languag > 0x00b0: 653a 2065 6e2d 7573 0d0a 4163 6365 7074 e:.en-us..Accept > 0x00c0: 2d45 6e63 6f64 696e 673a 2067 7a69 702c -Encoding:.gzip, > 0x00d0: 2064 6566 6c61 7465 0d0a 4966 2d4d 6f64 .deflate..If-Mod > 0x00e0: 6966 6965 642d 5369 6e63 653a 204d 6f6e ified-Since:.Mon > 0x00f0: 2c20 3135 204f 6374 2032 3030 3720 3138 ,.15.Oct.2007.18 > 0x0100: 3a34 323a 3132 2047 4d54 0d0a 5573 6572 :42:12.GMT..User > 0x0110: 2d41 6765 6e74 3a20 4d6f 7a69 6c6c 612f -Agent:.Mozilla/ > 0x0120: 342e 3020 2863 6f6d 7061 7469 626c 653b 4.0.(compatible; > 0x0130: 204d 5349 4520 362e 303b 2057 696e 646f .MSIE.6.0;.Windo > 0x0140: 7773 204e 5420 352e 313b 2053 5631 3b20 ws.NT.5.1;.SV1;. > 0x0150: 4675 6e57 6562 5072 6f64 7563 7473 3b20 FunWebProducts;. > 0x0160: 2e4e 4554 2043 4c52 2031 2e31 2e34 3332 .NET.CLR.1.1.432 > 0x0170: 323b 202e 4e45 5420 434c 5220 322e 302e 2;..NET.CLR.2.0. > 0x0180: 3530 3732 3729 0d0a 486f 7374 3a20 6a73 50727)..Host:.js > 0x0190: 2e72 6576 7363 692e 6e65 740d 0a43 6f6e .revsci.net..Con > 0x01a0: 6e65 6374 696f 6e3a 204b 6565 702d 416c nection:.Keep-Al > 0x01b0: 6976 650d 0a43 6f6f 6b69 653a 204e 4554 ive..Cookie:.NET > 0x01c0: 4944 3031 3d42 7445 4458 7772 4031 5267 ID01=BtEDXwr@1Rg > 0x01d0: 4141 4472 4a4e 7059 4141 4147 423b 204e AADrJNpYAAAGB;.N > 0x01e0: 4554 5345 4753 5f43 3035 3530 333d 4642 ETSEGS_C05503=FB > 0x01f0: 3732 4644 3139 4235 3045 4438 3236 2643 72FD19B50ED826&C > > > > 0x0550: 3473 4c30 7864 6754 6566 0d0a 0d0a 4sL0xdgTef.... > > Look at the 'download' packet, above. The location called "referrer" > is where the browser was right before this snapshot was taken. > http://www.kctv5.com/index.html. There are advertisers all over that > page. Kctv5, being a tv station, makes their living by selling > advertising. They would obviously be a normal client for Revenue > Science, to make sure they get paid for click throughs to their > advertising partners. > > to examine the installer code and the actual BHOcode you can download > the code from: > http://js.revsci.net/gateway/gw.js?csid=C05503 > and the part that makes sure the money goes to kctv5: > http://www.kctv5.com/js/4230798/script.js > and the tracking pixel: > http://pix01.revsci.net/C05503/a3/0/0/0/0/0/0/0/0/0/noscript.gif > > > > > > > > Jack Pepper wrote: > >> Quoting Jack Pepper : > >> > >>> > >>> The rule for 2007591 is hitting lots of malware check-ins, and they > >>> look like good hits. > >> > >> The hits do not look like Agent.Alt infections. They appear to be > >> counters for the Revenue Science BHO application. > >> > >> Are other people seeing these? I am seeing these at all of my sites, in > >> some cases thousands of them. > >> > >> jp > >> > >> > >> ---------------------------------------------------------------- > >> @fferent Security Labs: Isolate/Insulate/Innovate > >> http://www.afferentsecurity.com > >> > >> _______________________________________________ > >> Bleeding-sigs mailing list > >> Bleeding-sigs@bleedingthreats.net > >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Bleeding Edge Threats > > US Phone 765-429-0398 > > US Fax 312-264-0205 > > AUS Phone 61-42-4157-491 > > AUS Fax 61-29-4750-026 > > http://www.bleedingthreats.net > > -------------------------------------------- > > > > PGP: http://www.bleedingthreats.com/mattjonkman.asc > > > > > > _______________________________________________ > > Bleeding-sigs mailing list > > Bleeding-sigs@bleedingthreats.net > > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > > > > > > ---------------------------------------------------------------- > @fferent Security Labs: Isolate/Insulate/Innovate > http://www.afferentsecurity.com > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > -- -dajackman From jeff-kell at utc.edu Tue Mar 4 18:16:06 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue Mar 4 18:27:45 2008 Subject: [Bleeding-sigs] Agent Alt hits - Followup In-Reply-To: <78b16a340803040709p68cddfddtb071be245ace360f@mail.gmail.com> References: <20071016081541.bp4rxxrmgcg8kk44@mail.afferentsecurity.com> <20071016111854.kgtu4dennk4okkc0@mail.afferentsecurity.com> <4716E91F.5000102@jonkmans.com> <20071018071909.ywyzbw3sgow00wsg@mail.afferentsecurity.com> <78b16a340803040709p68cddfddtb071be245ace360f@mail.gmail.com> Message-ID: <47CD91E6.1070007@utc.edu> dajackman wrote: > I am. What I am seeing I don't think is Agent ALT. None of my hosts > have any similarities to what info I can find on Agent.ALT. Looking at the wiki, it appears that the Agent.ALT signatures had a flowbit with them at one time (and may very well have been accurate then), but the flowbit references are gone, and these signatures have been firing [falsely] for some time. I disabled them locally to cut down on the noise. If anyone here has any knowledge of the flowbits or the original intent of the sigs, perhaps they can "repair" these and let us know. Otherwise, with no other references, I couldn't fathom a guess what it was looking for. We end up with a check for two bytes in a short packet, which doesn't take too many rolls of the dice to come up a winner in an arbitrary binary packet stream. Jeff From jscheidell at secnap.net Tue Mar 18 00:00:47 2008 From: jscheidell at secnap.net (Jonathan Scheidell) Date: Tue Mar 18 00:07:57 2008 Subject: [Bleeding-sigs] Syntax error in SID 9000 Message-ID: I guess since we are the only ones in planet earth not using snort v2.8 we are the only ones effected by these but in any case. content:"|0d 0a|Host: "; Should be: content:"|0d 0a|Host\: "; Escape the colon. -- Jon Scheidell >|SECNAP Network Security _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20080317/2ce1cc89/attachment.html From pepperjack at afferentsecurity.com Tue Mar 18 00:26:37 2008 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Tue Mar 18 00:33:37 2008 Subject: [Bleeding-sigs] Syntax error in SID 9000 In-Reply-To: References: Message-ID: <20080317192637.1ej8r1fpc4s8wosw@mail.afferentsecurity.com> Quoting Jonathan Scheidell : > I guess since we are the only ones in planet earth not using snort v2.8 we > are the only ones effected by these but in any case. the 2.8 users are even more seriously affected, because the rule is just silently dropped during parsing. much more insidious. the 2.6 user at least *knows* when there is a problem and can do something about it. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From MKozlowski at factset.com Tue Mar 18 01:05:12 2008 From: MKozlowski at factset.com (Marcin Kozlowski) Date: Tue Mar 18 01:16:16 2008 Subject: [Bleeding-sigs] Marcin Kozlowski is out of the office. Message-ID: I will be out of the office starting 03/12/2008 and will not return until 03/26/2008. I will respond to your message when I return. From jonkman at jonkmans.com Tue Mar 18 04:14:37 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue Mar 18 04:16:22 2008 Subject: [Bleeding-sigs] Syntax error in SID 9000 In-Reply-To: References: Message-ID: <47DF41AD.8000904@jonkmans.com> That is an EXTREMELY annoying 'feature' of 2.8. Fixed, thanks! Matt Jonathan Scheidell wrote: > I guess since we are the only ones in planet earth not using snort v2.8 > we are the only ones effected by these but in any case. > content:"|0d 0a|Host: "; > > Should be: > content:"|0d 0a|Host\: "; > > Escape the colon. > > -- > Jon Scheidell >>|SECNAP Network Security > > > > ------------------------------------------------------------------------ > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.spammertrap.com > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc