Monday, December 26, 2016

1:41033 MALWARE-CNC Win.Trojan.Proteus outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41033) MALWARE-CNC Win.Trojan.Proteus outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proteus outbound connection"; flow:to_server,established; content:"/api/register"; fast_pattern:only; http_uri; content:"{|22|m|22|:|22 5C 5C|"; depth:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,; classtype:trojan-activity; sid:41033; rev:1; )

If I had to guess I think it's related to this link per the virustotal comments botnet Proteus or something similar which stated.

It appears to make callouts to an api for the C&C server. It appears to have keyloggers capabilities among other things.
The virus total link above shows several generic hits like Trojan.KeyLogger, TrojanDropper.Dapato, Win32.Trojan.WisdomEyes,Trojan.Dynamer, etc.

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment