Re: Aumlib malware

[Nick Randolph <drandolph () sourcefire com>]

Sure thing


On Mon, Aug 12, 2013 at 12:17 PM, Joel Esler <jesler () sourcefire com> wrote:

> Oh wait, sorry Nick, I didn’t see that you had this one, are you grabbing
> this one?
>
> On Aug 12, 2013, at 11:47 AM, Nick Randolph <drandolph () sourcefire com>
> wrote:
>
> I think we should add in the MSIE 5 user-agent as a fast_pattern:only and
> maybe blacklist DNS rules for the domains in use. I grabbed the samples and
> gave them a really quick look.
>
> 832f5e01be536da71d5b3f7e41938cfb
> That user-agent used in the POST to /bbs/search.asp and
> /buy-sell/search.asp?newsid= is static in the malware.
>    Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0)
> The domains are also static
>    info.xxuz.com and warnews.toh.info
>
> cb3dcde34fd9ff0e19381d99b02f9692
> Also uses static domains
>    documents.myPicture.info <http://documents.mypicture.info/>
>    ftp.documents.myPicture.info <http://ftp.documents.mypicture.info/>
>    www.documents.myPicture.info <http://www.documents.mypicture.info/>
>
> The URL changes slightly but the user-agent isn't as obvious in the
> binary. Since it's still reporting MSIE 5.0 then it's probably still static
>   /bbs/info.asp
>
> aa873ed803ca800ce92a39d9a683c644
> This one is a word doc and looks like it gets picked up with sid:26832
>
>
> On Mon, Aug 12, 2013 at 11:40 AM, Ned Moran <ned () mysterymachine info>wrote:
>
> >  sample in question (832f5e01be536da71d5b3f7e41938cfb) can be found on
> > VT.
> >
> >
> > https://www.virustotal.com/en/file/c77afbe515536773777afebf500088e5b61cf23a6f527e6e39c0895e7be223c7/analysis/
> >
> > -Ned
> >
> >
> > On 8/12/13 11:16 AM, Y M wrote:
> >
> > Tried to get a sample of the executable from the urls mentioned in the reference but wasn't able to. Need more 
> > testing:
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Aumlib GET request"; 
> > flow:to_server,established; content:"GET"; http_method; content:"/buy-sell/"; http_uri; content:"search.asp"; 
> > http_uri; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service 
> > http; reference:url, 
> > fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; 
> > classtype:trojan-activity; sid:100023; rev:1;)
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Aumlib POST request"; 
> > flow:to_server,established; content:"POST"; http_method; content:"/bbs/"; http_uri; content:"search.asp"; nocase; 
> > http_uri; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service 
> > http; reference:url, 
> > fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; 
> > classtype:trojan-activity; sid:100022; rev:1;)
> > Thanks.YM                                    
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Get 100% visibility into Java/.NET code with AppDynamics Lite!
> > It's a free troubleshooting tool designed for production.
> > Get down to code-level detail for bottlenecks, with <2% overhead.
> > Download for free and get started troubleshooting in minutes. 
> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> >
> >
> >
> > _______________________________________________
> > Snort-sigs mailing 
> > listSnort-sigs@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-sigshttp://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Get 100% visibility into Java/.NET code with AppDynamics Lite!
> > It's a free troubleshooting tool designed for production.
> > Get down to code-level detail for bottlenecks, with <2% overhead.
> > Download for free and get started troubleshooting in minutes.
> >
> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> --
>
> Nick Randolph
> Research Engineer
> Sourcefire, Inc.
> nrandolph () sourcefire com
> Sourcefire.com <http://www.sourcefire.com/>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!


-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph () sourcefire com
Sourcefire.com <http://www.sourcefire.com/>

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!