Snort mailing list archives
Neutrino EK initial landing on a DGA host
From: Community Proposed <lists () packetmail net>
Date: Tue, 4 Jun 2013 14:44:47 -0500
We picked up a hostile Neutrino EK initial landing on a DGA host, it's 24-byte
a-f leading child domain. pDNS shows that the IPs in question have multiple
DGAs pointed to it -- feel free to validate. I don't see payload but I'm not
100% with Neutrino like the other EKs.
IP - 37.59.151.254
IP - 178.238.230.173
IP - 178.32.176.219
RegEx for match (WebWasher/WebGateway format):
regex((?-i)http:\/\/[a-f0-9]{24}\.[^\.]+\.[a-z]{2,4}[\x2f\x3a][^\r\n]+$
Nathan Fowler, Jun 04 2013, Neutrino Exploit Kit initial landing 24-byte DGA.
Snort Sig, might be crappy, double check me on distance/within.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
Neutrino EK DGA requested over HTTP"; flow:established,to_server;
content:"Host|3a 20|"; http_header;
content:"."; http_header; distance:24; within:1;
pcre:"/Host\x3a\x20[a-f0-9]{24}\.[^\.]+\.[a-z]{2,4}[\x3a\r\n]/H";
classtype:trojan-activity; sid:x; rev:1;)
Validation:
select distinct date_time, http_status, block_reason, user_name, url from
webwasher_full where day>='2013-05-01' and url rlike
'http:\\/\\/[a-f0-9]{24}\\.[^\\.]+\\.[a-z]{2,4}[\\x2f\\x3a][^\\r\\n]+$' and
http_status <> '407'
[03/Jun/2013:12:21:30 -0600] 403 Malware found
hxxp://73c96a6e5669cd1c04d935f8.homeftp.net:8000/abdmkligulifci?hash=f47467dbe2117272f25d0fd98b61ba5a&qlwrywrlrlev=358488
[03/Jun/2013:14:12:49 -0600] 403 Malware found
hxxp://3a0be0574268a3bf2d7f1f35.homeftp.net:8000/axjop?hash=f47467dbe2117272f25d0fd98b61ba5a&qwkqusrhbm=358488
[03/Jun/2013:15:21:58 -0600] 403 Malware found
hxxp://774f4fbced510393034e7fbc.homeftp.net:8000/arjmwhtocqhn?qksetrpgspud=5432189
[04/Jun/2013:10:32:49 -0600] 403 Malware found
hxxp://88f3a91bf73b8534563ac260.homeftp.org:8000/atrvcb?hash=f47467dbe2117272f25d0fd98b61ba5a&qgdijbgx=358488
[31/May/2013:13:23:47 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/arhxxx?qlwgvb=403906
[31/May/2013:13:23:51 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/zbzs.js
[31/May/2013:13:23:51 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/atvxwt.css
[31/May/2013:13:23:51 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/qiqisdikou.css
[31/May/2013:13:23:51 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/markldprj.css
[31/May/2013:13:23:51 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/rxmdvvpn.js
[31/May/2013:13:23:52 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/vbiuchm.js
[31/May/2013:13:23:52 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/pyafhqozux.css
[31/May/2013:13:23:52 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/qkuybslfn.js
[31/May/2013:13:23:52 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/jtylljqzqlazgcht.js
[31/May/2013:13:23:52 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/mrdefsdfykv.js
[31/May/2013:13:23:52 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/bxobfcftotdnsd.js
[31/May/2013:13:23:52 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/oysnnyor.css
[31/May/2013:13:23:52 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/mciylzxclybrbil.js
[31/May/2013:13:23:52 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/zogaeoag.css
[31/May/2013:13:23:52 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/scripts/js/plg.js
[31/May/2013:13:23:53 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/aophawfn.jpg
[31/May/2013:13:23:53 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/wphqdnxibfa.gif
[31/May/2013:13:23:53 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/rvpdvnfglhyn.jpg
[31/May/2013:13:23:53 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/rzxvokmg.gif
[31/May/2013:13:23:53 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/kikmomrhbllpep.js
[31/May/2013:13:23:53 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/jbstoggf.jpg
[31/May/2013:13:23:53 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/uduzindnmojz.js
[31/May/2013:13:23:53 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/lxjmrf.css
[31/May/2013:13:23:54 -0600] 200 -
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/bzynxtkzmop
[30/May/2013:13:15:58 -0600] 403 Category Blocklist
hxxp://1debaac13828d44b089f1928.here-for-more.info:8000/alpwptfr?qwhglf=403906
[29/May/2013:12:46:42 -0600] 200 -
hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/akrlprngl?qxyyejxbjlb=403906
[29/May/2013:12:46:43 -0600] 200 -
hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/gjdk.css
[29/May/2013:12:46:43 -0600] 200 -
hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/ihvqulnxk.js
[29/May/2013:12:46:43 -0600] 200 -
hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/szfnpiopydjzoi.css
[29/May/2013:12:46:43 -0600] 200 -
hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/wwmlbfxah.css
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Neutrino EK initial landing on a DGA host Community Proposed (Jun 04)
- Re: Neutrino EK initial landing on a DGA host Joel Esler (Jun 04)