Re: [Snort-sigs] new Q signature

Its been nearly a month now, and I'm only slightly closer to getting to the bottom of this.

As previously mentioned, I've been using the following rule to track any machines that spew packets containg 'cko', which is associated with the Q backdoor:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor traffic"; content:"cko"; depth:3; dsize:3;)

I've compiled some information about this traffic in the hopes that it helps someone. Since my first email (beginning of Februrary), I've caught 2042 packets coming into my network that tripped this signature.

Common characteristics for all of these packets include:

• all tcp
• low ttl
• ACK and PSH flags set
• sequence # set
• payload is "cko"

In terms of most popular ports:

Qty | Dst Port

1184     80 (http)
59       25 (smtp)
11       993 (imaps)
5        22 (ssh)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek

Qty | Src Port

629      80 (http)
96       25 (smtp)
33       443 (https)
11       457 (scohelp via NCSA)

In terms of most talkative hosts:

Qty | IP | Comment(s)

251      129.41.36.211     All from port 80 on an Apache webserver
183      216.75.196.140    All from port 80 on an IIS (5.1) webserver
88       80.15.172.140     All to port 80 on an Apache webserver
84       63.126.62.14      All from port 80 on an IIS (5.0) webserver
80       216.2.139.35      All to/from port 25 on a WorldMail mailserver

Traffic leading up to the final 'cko' packets always seems very routine -- your average web browse, mail traffic, etc. All source hosts that were not the server in the connection seem to be random dialup/dsl machines from around the globe.

Any feedback or information about these (or other similar) "attacks" would be much appreciated, either publicly on this list or privately via email.

Fyi and thanks,

-jon