Re: Win.Trojan.Isg

[Tyler Montier <tmontier () sourcefire com>]

Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Since you have pcaps available, can you send them my way?

Thanks,

Tyler Montier
Cisco Talos

On Wed, Feb 22, 2017 at 3:22 PM, Y M <snort () outlook com> wrote:

> Hello,
>
>
> This one is either detected as Zeus or Fareit by AV (because of the
> /gate.php...?). However, the host and network profiles/behavior do not
> match either, as far as I know. I used Yara to help with this and still no
> luck. It is somehow similar to sid:41442 yet different. So I went ahead and
> called it "Isg" based on the HTTP responses. Please feel free in naming
> this one, or if any has seen this traffic before, please do let us know.
>
> Additional details and pcaps are available.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MLAWARE-CNC
> Win.Trojan.Isg getconfig request"; flow:to_server,established;
> content:"POST"; http_method; content:"/gate.php"; fast_pattern:only;
> http_uri; content:"WebKitFormBoundary"; http_header;
> content:"|20|form-data|3B 20|name=|22|getconfig|22|"; content:"Referer|3A
> 20|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header;
> content:!"Accept"; http_header; metadata:ruleset community, service http;
> classtype:trojan-activity; sid:1000851; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
> Win.Trojan.Isg getconfig response"; flow:to_client,established; file_data;
> content:"IS_G_PWDS:"; content:"IS_G_DOUBLE:"; content:"IS_G_BROWSERS:";
> content:"IS_G_COINS:"; content:"IS_G_SKYPE"; content:"IS_G_STEAM:";
> content:"IS_G_DESKTOP"; metadata:ruleset community, service http;
> classtype:trojan-activity; sid:1000852; rev:1;)
>
> Thanks.
> YM
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!