Snort mailing list archives
Re: Win.Trojan.Isg
From: Y M <snort () outlook com>
Date: Thu, 23 Feb 2017 11:56:16 +0000
So it appears this one is known as "Yakbeex". Spending more time with the malware we get an additional signature. Pcap is also available for this one. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Yakbeex sendreport request"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; fast_pattern:only; http_uri; content:"WebKitFormBoundary"; http_header; content:"|20|form-data|3B 20|name=|22|sendreport|22|"; content:"Referer|3A 20|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000853; rev:1;) YM ________________________________ From: Tyler Montier <tmontier () sourcefire com> Sent: Thursday, February 23, 2017 12:12:51 AM To: Y M Cc: snort-sigs Subject: Re: [Snort-sigs] Win.Trojan.Isg Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Since you have pcaps available, can you send them my way? Thanks, Tyler Montier Cisco Talos On Wed, Feb 22, 2017 at 3:22 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: Hello, This one is either detected as Zeus or Fareit by AV (because of the /gate.php...?). However, the host and network profiles/behavior do not match either, as far as I know. I used Yara to help with this and still no luck. It is somehow similar to sid:41442 yet different. So I went ahead and called it "Isg" based on the HTTP responses. Please feel free in naming this one, or if any has seen this traffic before, please do let us know. Additional details and pcaps are available. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MLAWARE-CNC Win.Trojan.Isg getconfig request"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; fast_pattern:only; http_uri; content:"WebKitFormBoundary"; http_header; content:"|20|form-data|3B 20|name=|22|getconfig|22|"; content:"Referer|3A 20|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000851; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Isg getconfig response"; flow:to_client,established; file_data; content:"IS_G_PWDS:"; content:"IS_G_DOUBLE:"; content:"IS_G_BROWSERS:"; content:"IS_G_COINS:"; content:"IS_G_SKYPE"; content:"IS_G_STEAM:"; content:"IS_G_DESKTOP"; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000852; rev:1;) Thanks. YM ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.Isg Y M (Feb 22)
- Re: Win.Trojan.Isg Tyler Montier (Feb 22)
- Re: Win.Trojan.Isg Y M (Feb 23)
- Re: Win.Trojan.Isg Tyler Montier (Feb 22)