Author Topic: New citadel H e r m e s trojan IP-address to block: 46.28.71.19 (Read 2200 times)

polonus · « **on:** August 15, 2012, 08:57:55 PM »

The H e r m e s C&C domains have moved to a new address at:
46.28.71.19 information from FoX-IT International blog provided by Michael Sandee
See: http://urlquery.net/report.php?id=131791 also hosting Sakura exploit kit...

polonus

polonus · « **Reply #1 on:** August 15, 2012, 09:23:35 PM »

What IDS alert was flagged for this source IP is http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
gen_id 120, sig_id 3, type limit, track by_src, count 1, limit the alert to once per 10 minutes
See: http://129.81.224.37/base_qry_main.php?new=1&layer4=TCP&num_result_rows=-1&sort_order=time_d&submit=Query+DB
Valuable resource this Windows Intrusion Detection System!

polonus

polonus · « **Reply #2 on:** August 15, 2012, 11:06:52 PM »

Here we see that avast is not yet detecting this trojan: https://www.virustotal.com/file/F42E71F3E5121412E2C82D7AC982E5036F63D39C1C6591C3630F6B3FD8A48180/analysis/
also see: http://malwr.com/analysis/20be4f07f9a12c35463361a7212ca5ff/

polonus

Author Topic: New citadel H e r m e s trojan IP-address to block: 46.28.71.19 (Read 2200 times)

polonus

New citadel H e r m e s trojan IP-address to block: 46.28.71.19

polonus

Re: New citadel H e r m e s trojan IP-address to block: 46.28.71.19

polonus

Re: New citadel H e r m e s trojan IP-address to block: 46.28.71.19