Snort mailing list archives

Re: Urausy rules

From: James Lay <jlay () slave-tothe-box net>
Date: Sun, 25 Aug 2013 09:44:51 -0600


On Aug 24, 2013, at 6:04 AM, Y M <snort () outlook com> wrote:

Got my hands on a sample of ransomware and been running it on my test lab for a while now (pcaps attached). It turned 
out to be Urausy and I already uploaded it to VirusTotal. Below are two rules: one for outbound connection and the 
other for a DNS request. It seems the domain is hardcoded.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Urausy outbound connection 
attempt"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"User-Agent|3A| 
Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0"; fast_pattern:only; 
pcre:"/\/[a-z-_]{80,}\.html$/U"; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, 
ruleset community, service http; 
reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/";
 classtype:trojan-activity; sid:100029; rev:2;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain www.wolfvr.com"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|wolfvr|03|com|00|"; fast_pattern:only; metadata:impact_flag red, 
policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; 
reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/;
 classtype:trojan-activity; sid:100030; rev:1;)

Any help in improving these is welcome, thanks.
YM


Nice work!

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Urausy rules Y M (Aug 25)
- Re: Urausy rules James Lay (Aug 25)
- Re: Urausy rules Joel Esler (Aug 25)
  - Re: Urausy rules Nick Randolph (Aug 26)
- <Possible follow-ups>
- Re: Urausy rules Y M (Aug 26)
- Re: Urausy rules Y M (Aug 26)
- Re: Urausy rules Y M (Aug 26)