[Oisf-users] How serious is this threat?

Darien Huss dhuss at emergingthreats.net
Thu Aug 27 18:40:52 UTC 2015 

Hey James,

We can help out with this sort of stuff over on the emerging-sigs list:
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Are you able to send me a pcap off-list of the queries/responses so I can
check to see if those are FPs? In the meantime, here is some information
from a few years ago:
https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-July/019888.html

Regards,
Darien

On Thu, Aug 27, 2015 at 2:23 PM, James Moe <jimoe at sohnen-moe.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
> suricata v2.0.8
> linux 3.16.7-24-desktop x86_64
>
>   Recently there have been about a dozen of the entries shown below in
> <fast.log>.  These entries occur even when Windows is not running on
> any of the computers here (Windows runs in a VM). There is no evidence
> of the trojan successfully installing itself.
>   I searched for an explanation of the threat but could find no
> detailed description of its operation, particularly how it infects a
> computer; only that it steals stuff after infesting.
>   What confuses me about the log entry is that it is a response from
> known good DNS servers. 8.8.8.8 is a Google server, and the other one
> is our ISP's DNS server.
>   Where may I find a detailed description of the threat?
>
> 08/27/2015-00:15:41.324942  [**] [1:2013935:4] ET TROJAN
> Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response [**]
> [Classification: A Network Trojan was Detected] [Priority: 1] {UDP}
> 205.171.3.65:53 -> 192.168.69.246:52150
>
> 08/27/2015-10:32:20.723324  [**] [1:2013935:4] ET TROJAN
> Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response [**]
> [Classification: A Network Trojan was Detected] [Priority: 1] {UDP}
> 8.8.8.8:53 -> 192.168.69.246:36568
>
>
> - --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iEYEARECAAYFAlXfVYkACgkQzTcr8Prq0ZNsEQCfZ0cN/3tiHhsMM7pWi0YZ0fi+
> hbEAn2lttl4Wj2GZqQsNsn5gE4JJU57A
> =Bdvi
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150827/0d9cedeb/attachment-0002.html>

More information about the Oisf-users mailing list