[Oisf-users] How serious is this threat?
Darien Huss
dhuss at emergingthreats.net
Thu Aug 27 18:40:52 UTC 2015
Hey James,
We can help out with this sort of stuff over on the emerging-sigs list:
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Are you able to send me a pcap off-list of the queries/responses so I can
check to see if those are FPs? In the meantime, here is some information
from a few years ago:
https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-July/019888.html
Regards,
Darien
On Thu, Aug 27, 2015 at 2:23 PM, James Moe <jimoe at sohnen-moe.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
> suricata v2.0.8
> linux 3.16.7-24-desktop x86_64
>
> Recently there have been about a dozen of the entries shown below in
> <fast.log>. These entries occur even when Windows is not running on
> any of the computers here (Windows runs in a VM). There is no evidence
> of the trojan successfully installing itself.
> I searched for an explanation of the threat but could find no
> detailed description of its operation, particularly how it infects a
> computer; only that it steals stuff after infesting.
> What confuses me about the log entry is that it is a response from
> known good DNS servers. 8.8.8.8 is a Google server, and the other one
> is our ISP's DNS server.
> Where may I find a detailed description of the threat?
>
> 08/27/2015-00:15:41.324942 [**] [1:2013935:4] ET TROJAN
> Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response [**]
> [Classification: A Network Trojan was Detected] [Priority: 1] {UDP}
> 205.171.3.65:53 -> 192.168.69.246:52150
>
> 08/27/2015-10:32:20.723324 [**] [1:2013935:4] ET TROJAN
> Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response [**]
> [Classification: A Network Trojan was Detected] [Priority: 1] {UDP}
> 8.8.8.8:53 -> 192.168.69.246:36568
>
>
> - --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iEYEARECAAYFAlXfVYkACgkQzTcr8Prq0ZNsEQCfZ0cN/3tiHhsMM7pWi0YZ0fi+
> hbEAn2lttl4Wj2GZqQsNsn5gE4JJU57A
> =Bdvi
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150827/0d9cedeb/attachment-0002.html>
More information about the Oisf-users
mailing list