CC server IP detection missed?

[polonus]

CC server IP block missed? Priority 7    TCP Ports 3305    Filter deny ip host 59.124.27.180 any log ! 7 infects 10/31/12 to 01/08/13 hinet.net    ISP chunghwa telecom data communication business group  (info from BotHunter Filter) see: http://kb.bothunter.net/ipInfo/nowait.php?IP=59.124.27.180
evidence: http://www.threatexpert.com/report.aspx?md5=13aebb5e34baf54a7cba5fba51f92a4c
See: http://www.ipvoid.com/scan/59.124.27.180/
Also flagged here: http://rules.emergingthreats.net/blockrules/emerging-botcc.suricata.rules
See: http://urlquery.net/queued.php?id=13730629
IDS alerts: ET CNC Shadowserver Reported CnC Server IP (group 29) (severity1) &
FILEMAGIC Macromedia Flash data (severity3)

polonus

P.S. To see for yourself what is being missed by a large number of av solutions, go here: http://mtc.sri.com/live_data/cc_servers/
not reassuring, folks...not reassuring at all

D

[!Donovan]

Hi Polonus,

I find the following rather interesting:

Code: [Select]

NICK P|b1p0iguxy
USER jjhjp4voc * 0 :USA|XP|561
USERHOST P|b1p0iguxy
MODE P|b1p0iguxy
JOIN #s echo
Notice that the "USER" contains :USA|XP|561. I know that USA is the country, and XP is the operating system, but what does the 561 mean? Is it merely there to trick the average analyst? Is it a "double-check" of some sort? Does it rely on the time of day? Or does it mean something completely different? This is somewhat confusing..

~!Donovan

[polonus]

Hi !Donovan,

It is a count total (letters? words). Certainly comes into that realm,

pol

[polonus]

Hi folks,

Looked at that C&C again and still being missed: http://www.ipvoid.com/scan/59.124.27.180/  but for EmergingThreats.
http://urlquery.net/queued.php?id=16472594 (2 IDS alerts)


pol