Wednesday, December 14, 2016

1:40906 MALWARE-CNC Win.Malware.Disttrack variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this Disttrack malware snort alert didn't include documentation.

1 40906 MALWARE-CNC Win.Malware.Disttrack variant outbound connection
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Disttrack variant outbound connection"; flow:to_server,established; content:"/category/page.php"; http_uri; content:"shinu="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,; classtype:trojan-activity; sid:40906; rev:1; )

If I had to guess I think it's related to Disttrack malware that spreads across the network destroying data or something similar which stated.

Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The data in “shinu” parameter is a combination of the system’s tickcount, local IP address, operating system version, keyboard layout and the contents of %WINDOWS%\inf\netimm173.pnf. The C2 server can respond to this HTTP request
The virus total link provided has hits on things such as Trojan/Win32.DistTrack , DistTrack!comm , etc.

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment