Gadi Evron
04/06/05, 22:05
Well, it's been few days since this story broke and amazingly only a few
AV companies detect it.
I am distributing it to the rest of the vendors with the help of a
friend, so at least that's covered, however, due to the nature of this
incident and the high interest I believe many others in the security
industry may want it and I am too busy to answer everyone pinging me.
Please email me privately and I'll share it securely with those of you
who have a reason to have it.
I hope to get more versions of the sample soon here in IL, as any
variant I get is the same one from the same incident.
Matt Jonkman over at Bleeding-Snort wrote and released snort signatures,
in cooperation with Joe Stewart at lurhq and myself at IL-CERT.
I am sure many organizations would be interested in those.
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/VIRUS/TROJAN_Hotword?rev=1.1&view=auto
alert tcp $EXTERNAL_NET any -> $HOME_NET 2any(msg:"BLEEDING-EDGE VIRUS
Hotword Trojan in Transit"; content:"|63 6f 6d 66 69 64 65 6e 74 69 61
6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44
69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; flow:established,from_server;
classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001959; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
VIRUS Hotword Trojan inbound via http"; content:"|63 6f 6d 66 69 64 65
6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72
6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|";
flow:established,from_server; classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001960; rev:1;)
alert tcp any any -> $EXTERNAL_NET 21 (msg:"BLEEDING-EDGE VIRUS Hotword
Trojan -- Possible File Upload CHJO"; content:"STOR __";
content:"-CHJO.DRV"; within:100; nocase; classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001961; rev:1;)
alert tcp any any -> $EXTERNAL_NET 21 (msg:"BLEEDING-EDGE VIRUS Hotword
Trojan -- Possible File Upload CFXP"; content:"STOR __";
content:"-CFXP.DRV"; within:100; nocase; classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001962; rev:1;)
alert tcp any any -> $EXTERNAL_NET 21 (msg:"BLEEDING-EDGE VIRUS Hotword
Trojan -- Possible FTP File Request pspv.exe"; content:"SIZE pspv.exe";
classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001963; rev:1;)
alert tcp any any -> $EXTERNAL_NET 21 (msg:"BLEEDING-EDGE VIRUS Hotword
Trojan -- Possible FTP File Request .tea"; content:"LIST ";
content:".tea"; nnocase; within:50; classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001964; rev:1;)
alert tcp any any -> $EXTERNAL_NET 21 (msg:"BLEEDING-EDGE VIRUS Hotword
Trojan -- Possible FTP File Status Upload ___"; content:"|53 54 4f 52 20
5f 5f 5f 0d 0a|"; classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001965; rev:1;)
alert tcp any any -> $EXTERNAL_NET 21 (msg:"BLEEDING-EDGE VIRUS Hotword
Trojan -- Possible FTP File Status Check ___"; content:"|53 49 5a 45 20
5f 5f 5f 0d 0a|"; classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001966; rev:1;)
Gadi Evron.
AV companies detect it.
I am distributing it to the rest of the vendors with the help of a
friend, so at least that's covered, however, due to the nature of this
incident and the high interest I believe many others in the security
industry may want it and I am too busy to answer everyone pinging me.
Please email me privately and I'll share it securely with those of you
who have a reason to have it.
I hope to get more versions of the sample soon here in IL, as any
variant I get is the same one from the same incident.
Matt Jonkman over at Bleeding-Snort wrote and released snort signatures,
in cooperation with Joe Stewart at lurhq and myself at IL-CERT.
I am sure many organizations would be interested in those.
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/VIRUS/TROJAN_Hotword?rev=1.1&view=auto
alert tcp $EXTERNAL_NET any -> $HOME_NET 2any(msg:"BLEEDING-EDGE VIRUS
Hotword Trojan in Transit"; content:"|63 6f 6d 66 69 64 65 6e 74 69 61
6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44
69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; flow:established,from_server;
classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001959; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
VIRUS Hotword Trojan inbound via http"; content:"|63 6f 6d 66 69 64 65
6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72
6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|";
flow:established,from_server; classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001960; rev:1;)
alert tcp any any -> $EXTERNAL_NET 21 (msg:"BLEEDING-EDGE VIRUS Hotword
Trojan -- Possible File Upload CHJO"; content:"STOR __";
content:"-CHJO.DRV"; within:100; nocase; classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001961; rev:1;)
alert tcp any any -> $EXTERNAL_NET 21 (msg:"BLEEDING-EDGE VIRUS Hotword
Trojan -- Possible File Upload CFXP"; content:"STOR __";
content:"-CFXP.DRV"; within:100; nocase; classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001962; rev:1;)
alert tcp any any -> $EXTERNAL_NET 21 (msg:"BLEEDING-EDGE VIRUS Hotword
Trojan -- Possible FTP File Request pspv.exe"; content:"SIZE pspv.exe";
classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001963; rev:1;)
alert tcp any any -> $EXTERNAL_NET 21 (msg:"BLEEDING-EDGE VIRUS Hotword
Trojan -- Possible FTP File Request .tea"; content:"LIST ";
content:".tea"; nnocase; within:50; classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001964; rev:1;)
alert tcp any any -> $EXTERNAL_NET 21 (msg:"BLEEDING-EDGE VIRUS Hotword
Trojan -- Possible FTP File Status Upload ___"; content:"|53 54 4f 52 20
5f 5f 5f 0d 0a|"; classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001965; rev:1;)
alert tcp any any -> $EXTERNAL_NET 21 (msg:"BLEEDING-EDGE VIRUS Hotword
Trojan -- Possible FTP File Status Check ___"; content:"|53 49 5a 45 20
5f 5f 5f 0d 0a|"; classtype:trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html;
reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html;
sid:2001966; rev:1;)
Gadi Evron.