Author Topic: CC server IP detection missed?  (Read 2442 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33990
  • malware fighter
CC server IP detection missed?
« on: February 13, 2013, 10:45:42 PM »
CC server IP block missed? Priority 7    TCP Ports 3305    Filter deny ip host 59.124.27.180 any log ! 7 infects 10/31/12 to 01/08/13 hinet.net    ISP chunghwa telecom data communication business group  (info from BotHunter Filter) see: http://kb.bothunter.net/ipInfo/nowait.php?IP=59.124.27.180
evidence: http://www.threatexpert.com/report.aspx?md5=13aebb5e34baf54a7cba5fba51f92a4c
See: http://www.ipvoid.com/scan/59.124.27.180/
Also flagged here: http://rules.emergingthreats.net/blockrules/emerging-botcc.suricata.rules
See: http://urlquery.net/queued.php?id=13730629
IDS alerts: ET CNC Shadowserver Reported CnC Server IP (group 29) (severity1) &
FILEMAGIC Macromedia Flash data (severity3)

polonus

P.S. To see for yourself what is being missed by a large number of av solutions, go here: http://mtc.sri.com/live_data/cc_servers/
not reassuring, folks...not reassuring at all

D
« Last Edit: February 13, 2013, 10:54:22 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: CC server IP detection missed?
« Reply #1 on: February 13, 2013, 11:02:51 PM »
Hi Polonus,

I find the following rather interesting:
Code: [Select]
NICK P|b1p0iguxy
USER jjhjp4voc * 0 :USA|XP|561
USERHOST P|b1p0iguxy
MODE P|b1p0iguxy
JOIN #s echo

Notice that the "USER" contains :USA|XP|561. I know that USA is the country, and XP is the operating system, but what does the 561 mean? Is it merely there to trick the average analyst? Is it a "double-check" of some sort? Does it rely on the time of day? Or does it mean something completely different? This is somewhat confusing..

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33990
  • malware fighter
Re: CC server IP detection missed?
« Reply #2 on: February 13, 2013, 11:30:24 PM »
Hi !Donovan,

It is a count total (letters? words). Certainly comes into that realm,

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33990
  • malware fighter
Re: CC server IP detection missed?
« Reply #3 on: March 06, 2013, 02:40:34 PM »
Hi folks,

Looked at that C&C again and still being missed: http://www.ipvoid.com/scan/59.124.27.180/  but for EmergingThreats.
http://urlquery.net/queued.php?id=16472594 (2 IDS alerts)


pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!