<div dir="ltr"><div><div><div><div>Hey James,<br><br></div>We can help out with this sort of stuff over on the emerging-sigs list: <a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br><br></div>Are you able to send me a pcap off-list of the queries/responses so I can check to see if those are FPs? In the meantime, here is some information from a few years ago:<br><a href="https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-July/019888.html">https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-July/019888.html</a><br><br></div>Regards,<br></div>Darien<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 27, 2015 at 2:23 PM, James Moe <span dir="ltr"><<a href="mailto:jimoe@sohnen-moe.com" target="_blank">jimoe@sohnen-moe.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Hello,<br>
suricata v2.0.8<br>
linux 3.16.7-24-desktop x86_64<br>
<br>
Recently there have been about a dozen of the entries shown below in<br>
<fast.log>. These entries occur even when Windows is not running on<br>
any of the computers here (Windows runs in a VM). There is no evidence<br>
of the trojan successfully installing itself.<br>
I searched for an explanation of the threat but could find no<br>
detailed description of its operation, particularly how it infects a<br>
computer; only that it steals stuff after infesting.<br>
What confuses me about the log entry is that it is a response from<br>
known good DNS servers. 8.8.8.8 is a Google server, and the other one<br>
is our ISP's DNS server.<br>
Where may I find a detailed description of the threat?<br>
<br>
08/27/2015-00:15:41.324942 [**] [1:2013935:4] ET TROJAN<br>
Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response [**]<br>
[Classification: A Network Trojan was Detected] [Priority: 1] {UDP}<br>
<a href="http://205.171.3.65:53" rel="noreferrer" target="_blank">205.171.3.65:53</a> -> <a href="http://192.168.69.246:52150" rel="noreferrer" target="_blank">192.168.69.246:52150</a><br>
<br>
08/27/2015-10:32:20.723324 [**] [1:2013935:4] ET TROJAN<br>
Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response [**]<br>
[Classification: A Network Trojan was Detected] [Priority: 1] {UDP}<br>
<a href="http://8.8.8.8:53" rel="noreferrer" target="_blank">8.8.8.8:53</a> -> <a href="http://192.168.69.246:36568" rel="noreferrer" target="_blank">192.168.69.246:36568</a><br>
<br>
<br>
- --<br>
James Moe<br>
moe dot james at sohnen-moe dot com<br>
<a href="tel:520.743.3936" value="+15207433936">520.743.3936</a><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
iEYEARECAAYFAlXfVYkACgkQzTcr8Prq0ZNsEQCfZ0cN/3tiHhsMM7pWi0YZ0fi+<br>
hbEAn2lttl4Wj2GZqQsNsn5gE4JJU57A<br>
=Bdvi<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
</blockquote></div><br></div>