Friday, June 13, 2014

Etumbot Detection, more prior coverage

Arbor Networks recently posted details about a backdoor they named Etumbot. It provides technical detail about the functionality of the malware and it includes hashes of known samples.

The Arbor write up is available here:
http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/

Using the list of hashes provided by Arbor, the malware was run through our sandbox. This allows us to see files created or downloaded, registry modifications, network traffic and other malware behavior. After the samples have completed their runs in the sandbox, pcap files are retrieved and ran against the existing Sourcefire NGIPS/Snort ruleset provided by the VRT.  The following rules generated alerts.

24115 - MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection
24235 - MALWARE-CNC Win.Trojan.Wuwo initial infection variant outbound connection
26072 - MALWARE-CNC Win.Trojan.Locati variant outbound connection
28914 - MALWARE-CNC Win.Trojan.Anony variant connection
29471 - BLACKLIST DNS request for known malware domain cht.strangled.net
29473 - BLACKLIST DNS request for known malware domain finance.yesplusno.com

The VRT has had coverage for this malware since 2012 with the rules listed above.

No comments:

Post a Comment