Snort mailing list archives
Re: Aumlib malware
From: Nick Randolph <drandolph () sourcefire com>
Date: Mon, 12 Aug 2013 12:19:14 -0400
Sure thing On Mon, Aug 12, 2013 at 12:17 PM, Joel Esler <jesler () sourcefire com> wrote:
Oh wait, sorry Nick, I didn’t see that you had this one, are you grabbing this one? On Aug 12, 2013, at 11:47 AM, Nick Randolph <drandolph () sourcefire com> wrote: I think we should add in the MSIE 5 user-agent as a fast_pattern:only and maybe blacklist DNS rules for the domains in use. I grabbed the samples and gave them a really quick look. 832f5e01be536da71d5b3f7e41938cfb That user-agent used in the POST to /bbs/search.asp and /buy-sell/search.asp?newsid= is static in the malware. Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0) The domains are also static info.xxuz.com and warnews.toh.info cb3dcde34fd9ff0e19381d99b02f9692 Also uses static domains documents.myPicture.info <http://documents.mypicture.info/> ftp.documents.myPicture.info <http://ftp.documents.mypicture.info/> www.documents.myPicture.info <http://www.documents.mypicture.info/> The URL changes slightly but the user-agent isn't as obvious in the binary. Since it's still reporting MSIE 5.0 then it's probably still static /bbs/info.asp aa873ed803ca800ce92a39d9a683c644 This one is a word doc and looks like it gets picked up with sid:26832 On Mon, Aug 12, 2013 at 11:40 AM, Ned Moran <ned () mysterymachine info>wrote:sample in question (832f5e01be536da71d5b3f7e41938cfb) can be found on VT. https://www.virustotal.com/en/file/c77afbe515536773777afebf500088e5b61cf23a6f527e6e39c0895e7be223c7/analysis/ -Ned On 8/12/13 11:16 AM, Y M wrote: Tried to get a sample of the executable from the urls mentioned in the reference but wasn't able to. Need more testing: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Aumlib GET request"; flow:to_server,established; content:"GET"; http_method; content:"/buy-sell/"; http_uri; content:"search.asp"; http_uri; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url, fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:100023; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Aumlib POST request"; flow:to_server,established; content:"POST"; http_method; content:"/bbs/"; http_uri; content:"search.asp"; nocase; http_uri; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url, fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:100022; rev:1;) Thanks.YM ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing listSnort-sigs@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-sigshttp://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!-- Nick Randolph Research Engineer Sourcefire, Inc. nrandolph () sourcefire com Sourcefire.com <http://www.sourcefire.com/> ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Nick Randolph Research Engineer Sourcefire, Inc. nrandolph () sourcefire com Sourcefire.com <http://www.sourcefire.com/>
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Aumlib malware Y M (Aug 12)
- Re: Aumlib malware Ned Moran (Aug 12)
- Re: Aumlib malware Nick Randolph (Aug 12)
- Re: Aumlib malware Joel Esler (Aug 12)
- Re: Aumlib malware Joel Esler (Aug 12)
- Re: Aumlib malware Nick Randolph (Aug 12)
- Re: Aumlib malware Nick Randolph (Aug 12)
- Re: Aumlib malware Y M (Aug 12)
- Re: Aumlib malware Ned Moran (Aug 12)
- Re: Aumlib malware Joel Esler (Aug 13)
- Re: Aumlib malware Y M (Aug 13)
- Re: Aumlib malware Ned Moran (Aug 12)