Snort mailing list archives
Re: Urausy rules
From: Y M <snort () outlook com>
Date: Mon, 26 Aug 2013 19:00:24 +0300
Thanks Joel. ________________________________ From: Joel Esler<mailto:jesler () sourcefire com> Sent: 8/25/2013 7:21 PM To: Y M<mailto:snort () outlook com> Cc: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> Subject: Re: [Snort-sigs] Urausy rules Thanks. I believe Nick is already looking at these. Thanks. -- Joel Esler Sent from my iPad On Aug 24, 2013, at 8:04 AM, Y M <snort () outlook com> wrote:
Got my hands on a sample of ransomware and been running it on my test lab for a while now (pcaps attached). It turned out to be Urausy and I already uploaded it to VirusTotal. Below are two rules: one for outbound connection and the other for a DNS request. It seems the domain is hardcoded. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Urausy outbound connection attempt"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"User-Agent|3A| Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0"; fast_pattern:only; pcre:"/\/[a-z-_]{80,}\.html$/U"; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/"; classtype:trojan-activity; sid:100029; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain www.wolfvr.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|wolfvr|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/; classtype:trojan-activity; sid:100030; rev:1;) Any help in improving these is welcome, thanks. YM <Urausy.pcap> <Urausy_DNS.pcap> ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Urausy rules Y M (Aug 25)
- Re: Urausy rules James Lay (Aug 25)
- Re: Urausy rules Joel Esler (Aug 25)
- Re: Urausy rules Nick Randolph (Aug 26)
- <Possible follow-ups>
- Re: Urausy rules Y M (Aug 26)
- Re: Urausy rules Y M (Aug 26)
- Re: Urausy rules Y M (Aug 26)