Snort mailing list archives
Re: Win.Trojan.Kovtar
From: Tyler Montier <tmontier () sourcefire com>
Date: Fri, 10 Feb 2017 10:15:11 -0500
Dear Yaser, Thanks for your submission. We will review and test the rules and get back to you when they're finished. Do you have any pcaps or hashes of the malware available? Sincerely Tyler Montier Cisco Talos On Fri, Feb 10, 2017 at 4:07 AM, Y M <snort () outlook com> wrote:
Hello, Below two signatures detect the initial JS downloader and post-infection C&C. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant JS downloader outbound connection"; flow:to_server,established; urilen:<100; content:"GET"; http_method; content:"/counter/?"; fast_pattern:only; http_uri; content:"UA-CPU|3A 20|"; http_header; content:"MSIE 7.0|3B|"; http_header; content:!"Referer"; http_header; pcre:"/\/counter\/\x3f\w+/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000821; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; dsize:55<>205; content:!" HTTP/"; content:"|00 00 00|"; offset:1; metadata:ruleset community; classtype:trojan-activity; sid:1000822; rev:1;) Thank you. YM ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.Kovtar Y M (Feb 10)
- Re: Win.Trojan.Kovtar Tyler Montier (Feb 10)