Showing posts with label houdini. Show all posts
Showing posts with label houdini. Show all posts

Tuesday, July 28, 2015

Houdini Tracker Update

Just a quick post to let you know that I have added a few more indicators to the Houdini RAT tracking list.

Enjoy! I will be updating with another indicator list pretty soon, I just need to clean up a few things.
Posted by at No comments:
Labels: , ,

Thursday, April 16, 2015

Houdini / h-worm / njRAT Tracking List

I added a tracking list for the Houdini malware (njRAT, h-worm, etc...). This list is best used in a monitoring tool rather than a blocking tool as some of the domains will most likely be out-of-date. If you are not familiar with this malware, then please check out the links listed below.

This list has grown over the past year since I have been tracking it, so I hope it serves you well. I will continue to update the list as I find new variants or indicators, and if you wish to contribute then please feel free to send me an email.

Click here to go to the page. Enjoy!

Further reading:
Posted by at No comments:
Labels: , , ,

Tuesday, April 14, 2015

Incoming Houdini Tracking List

I have been seeing a good amount of Houdini traffic in the past, and it seems to be picking up steam again: for a quick refreshed, check out this FireEye report. So I decided to create a list of command and control servers used by the malware.

The list will not be an active/live list such as the ones you find on Abuse.ch, rather it will contain historical data of hosts, as well as other useful information such as user-agent string values, HTTP URI paths, destination ports, and other data.

The list should be posted within the week, so please check back.
Posted by at No comments:
Labels: , ,

Wednesday, January 14, 2015

Indicators - Houdini RAT

Threat Name: Houdini

 Variants or Other Possible Names: njRAT, Iniduoh.

 This RAT (Remote Access Trojan) has been around for a while, and was first posted by FireEye. It is a pretty nasty RAT, but is quite easy to find in log files. I will brush over the indicators on FireEye's website, as well as some other indicators not listed.

 Remote Host Connections:

 The author is fascinated with no-ip.info and zapto.org, so start your search with those domains. Below are several other domains used by the RAT:
  • introworld.zapto.org
  • j2w2d.no-ip.biz (31.186.179.230)
  • qwqhack.no-ip.biz (37.239.116.223)
  • paltalk.servequake.com
  • terminator9.zapto.org
  • basss.no-ip.info
  • bg1337.zapto.org
  • ronaldo-123.no-ip.biz

HTTP URI Indicators:
  • /is-ready
HTTP Request Methods:
  • POST
User-agent String Values:

This is an easy catch. The below value is used as a separator in the user-agent string field:
  • <|>
Associated Snort Rule:
  • alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; content:"/is-ready"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20|"; http_header; content:"|3C 7C 3E|"; within:3; distance:8; http_header; content:"|3C 7C 3E|"; within:18; http_header; content:"|3C 7C 3E|Microsoft Windows"; within:84; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/220b551d9381fb56b48511b622a0bbc15482378396b3e83f708379f460f3347a/analysis/; classtype:trojan-activity; sid:28817; rev:3;)
Regex:

Search in the user-agent string field.
  • <\|>
Conclusion:

I was never able to find much information for this RAT and I hope it helps you out in your searches.
Posted by at No comments:
Labels: , , ,
Subscribe to: Comments (Atom)