Snort mailing list archives
Re: Asprox sig
From: Nick Randolph <drandolph () sourcefire com>
Date: Thu, 11 Jul 2013 16:03:09 -0400
The initial dropper is picked up with sid:20221 but I noticed something interesting when I looked at our samples. It's not obvious in the write up from M86 but the separation between the user-agent header and the host header doesn't have the typical \x0d\x0a it only has \x0a and since that isn't a valid agent for Opera it's being added as a fast_pattern:only; Update looks like this alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan.Injector outbound connection"; flow:to_server,established; content:"User-Agent|3A| Opera|5C|9.64|0A|"; fast_pattern:only; http_header; content:"bb.php?v="; http_uri; content:"id="; distance:0; http_uri; content:"b="; distance:0; http_uri; content:"tm="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url, www.virustotal.com/file-scan/report.html?id=2afb098dfea7d2acd73da520fe26d09acee1449c79d2c8753f3008a2a8f648b2-1303397086; classtype:trojan-activity; sid:20221; rev:4;) On Tue, Jul 9, 2013 at 8:48 PM, Joel Esler <jesler () sourcefire com> wrote:
Thanks James. Sent from my iPhoneOn Jul 9, 2013, at 8:29 PM, James Lay <jlay () slave-tothe-box net> wrote:On Jul 9, 2013, at 2:33 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2013-07-09 14:23, lists () packetmail net wrote:On 07/09/2013 03:15 PM, James Lay wrote: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"msg:"MALWARE-CNC Asprox outbound connection"; flow:to_server,established; content:"?v="; http_uri; content:"&id="; http_uri; within:6; content:"&b="; http_uri; content:"&tm="; http_uri; within:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://labs.m86security.com/2010/06/the-asprox-spambot-resurrects/;classtype:trojan-activity; sid:10000085; rev:1;)I recommend we had some negations to avoid some falses, for example, the lack of proper headers is pretty bogus. Header ordering is pretty important too, so I'd probably do this: content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|"; fast_pattern:only; content!:"Accept"; http_header; {the rest of your content matches for HTTP URI} Good stuff James, as always. Cheers, NathanThanks Nathan, Here's the mod:Slight change: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS(msg:"msg:"MALWARE-CNC Asprox outbound connection"; flow:to_server,established; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|"; fast_pattern:only; content:!"Accept"; http_header; content:"?v="; http_uri; content:"&id="; http_uri; within:6; content:"&b="; http_uri; content:"&tm="; http_uri; within:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url, http://labs.m86security.com/2010/06/the-asprox-spambot-resurrects/; classtype:trojan-activity; sid:10000085; rev:3;)Thanks all. JamesRunning this now in production. James------------------------------------------------------------------------------See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today!http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today!http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Nick Randolph Research Engineer Sourcefire, Inc. nrandolph () sourcefire com Sourcefire.com <http://www.sourcefire.com/>
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Asprox sig James Lay (Jul 09)
- Re: Asprox sig lists () packetmail net (Jul 09)
- Re: Asprox sig James Lay (Jul 09)
- Re: Asprox sig James Lay (Jul 09)
- Re: Asprox sig Joel Esler (Jul 09)
- Re: Asprox sig Nick Randolph (Jul 11)
- Re: Asprox sig waldo kitty (Jul 11)
- Re: Asprox sig James Lay (Jul 09)
- Re: Asprox sig lists () packetmail net (Jul 09)