[Oisf-users] How serious is this threat?
James Moe
jimoe at sohnen-moe.com
Thu Aug 27 18:23:05 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
suricata v2.0.8
linux 3.16.7-24-desktop x86_64
Recently there have been about a dozen of the entries shown below in
<fast.log>. These entries occur even when Windows is not running on
any of the computers here (Windows runs in a VM). There is no evidence
of the trojan successfully installing itself.
I searched for an explanation of the threat but could find no
detailed description of its operation, particularly how it infects a
computer; only that it steals stuff after infesting.
What confuses me about the log entry is that it is a response from
known good DNS servers. 8.8.8.8 is a Google server, and the other one
is our ISP's DNS server.
Where may I find a detailed description of the threat?
08/27/2015-00:15:41.324942 [**] [1:2013935:4] ET TROJAN
Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {UDP}
205.171.3.65:53 -> 192.168.69.246:52150
08/27/2015-10:32:20.723324 [**] [1:2013935:4] ET TROJAN
Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {UDP}
8.8.8.8:53 -> 192.168.69.246:36568
- --
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlXfVYkACgkQzTcr8Prq0ZNsEQCfZ0cN/3tiHhsMM7pWi0YZ0fi+
hbEAn2lttl4Wj2GZqQsNsn5gE4JJU57A
=Bdvi
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list