Snort mailing list archives
Re: Urausy rules
From: James Lay <jlay () slave-tothe-box net>
Date: Sun, 25 Aug 2013 09:44:51 -0600
On Aug 24, 2013, at 6:04 AM, Y M <snort () outlook com> wrote:
Got my hands on a sample of ransomware and been running it on my test lab for a while now (pcaps attached). It turned out to be Urausy and I already uploaded it to VirusTotal. Below are two rules: one for outbound connection and the other for a DNS request. It seems the domain is hardcoded. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Urausy outbound connection attempt"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"User-Agent|3A| Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0"; fast_pattern:only; pcre:"/\/[a-z-_]{80,}\.html$/U"; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/"; classtype:trojan-activity; sid:100029; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain www.wolfvr.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|wolfvr|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/; classtype:trojan-activity; sid:100030; rev:1;) Any help in improving these is welcome, thanks. YM
Nice work!
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Urausy rules Y M (Aug 25)
- Re: Urausy rules James Lay (Aug 25)
- Re: Urausy rules Joel Esler (Aug 25)
- Re: Urausy rules Nick Randolph (Aug 26)
- <Possible follow-ups>
- Re: Urausy rules Y M (Aug 26)
- Re: Urausy rules Y M (Aug 26)
- Re: Urausy rules Y M (Aug 26)