[Oisf-users] How serious is this threat?

James Moe jimoe at sohnen-moe.com
Thu Aug 27 18:23:05 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
suricata v2.0.8
linux 3.16.7-24-desktop x86_64

  Recently there have been about a dozen of the entries shown below in
<fast.log>.  These entries occur even when Windows is not running on
any of the computers here (Windows runs in a VM). There is no evidence
of the trojan successfully installing itself.
  I searched for an explanation of the threat but could find no
detailed description of its operation, particularly how it infects a
computer; only that it steals stuff after infesting.
  What confuses me about the log entry is that it is a response from
known good DNS servers. 8.8.8.8 is a Google server, and the other one
is our ISP's DNS server.
  Where may I find a detailed description of the threat?

08/27/2015-00:15:41.324942  [**] [1:2013935:4] ET TROJAN
Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {UDP}
205.171.3.65:53 -> 192.168.69.246:52150

08/27/2015-10:32:20.723324  [**] [1:2013935:4] ET TROJAN
Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {UDP}
8.8.8.8:53 -> 192.168.69.246:36568


- -- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlXfVYkACgkQzTcr8Prq0ZNsEQCfZ0cN/3tiHhsMM7pWi0YZ0fi+
hbEAn2lttl4Wj2GZqQsNsn5gE4JJU57A
=Bdvi
-----END PGP SIGNATURE-----


More information about the Oisf-users mailing list