Snort mailing list archives

Urausy rules


From: Y M <snort () outlook com>
Date: Sat, 24 Aug 2013 12:04:30 +0000







Got my hands on a sample of ransomware and been running it on my test lab for a while now (pcaps attached). It turned 
out to be Urausy and I already uploaded it to VirusTotal. Below are two rules: one for outbound connection and the 
other for a DNS request. It seems the domain is hardcoded.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Urausy outbound connection 
attempt"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"User-Agent|3A| 
Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0"; fast_pattern:only; 
pcre:"/\/[a-z-_]{80,}\.html$/U"; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset 
community, service http; 
reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/";
 classtype:trojan-activity; sid:100029; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain www.wolfvr.com"; flow:to_server; 
byte_test:1,!&,0xF8,2; content:"|06|wolfvr|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy 
balanced-ips drop, policy security-ips drop, ruleset community, service dns; 
reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/;
 classtype:trojan-activity; sid:100030; rev:1;)
Any help in improving these is welcome, thanks.YM

                                          

Attachment: Urausy.pcap
Description:

Attachment: Urausy_DNS.pcap
Description:

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread: