Re: Win.Trojan.NeutrinoBot

[Tyler Montier <tmontier () sourcefire com>]

Yaser,

Thank you for your submission. We will review the rules and get back to you
when they're finished.

Sincerely,

Tyler Montier
Cisco Talos

On Thu, Mar 9, 2017 at 1:49 AM, Y M <snort () outlook com> wrote:

> Hello,
>
> The below rules were derived from the reference article. Reviewing the
> existing signature sid:32670, it may hit on the initial outbound
> connection. Subsequent traffic may not trigger the rule given the HTTP
> headers differences. No pcap is available for this one. If these rules seem
> redundant, please ignore them.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.NeutrinoBot initial outbound connection";
> flow:to_server,established; content:"POST"; http_method;
> content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie|3A
> 20|auth="; http_header; content:"ZW50ZXI="; http_client_body;
> content:!"Connection"; http_header; content:!"Accept"; http_header;
> metadata:ruleset community, service http; reference:url,blog.
> malwarebytes.com/threat-analysis/2017/02/new-neutrino-
> bot-comes-in-a-protective-loader/; reference:url,www.virustotal.
> com/en/file/45abc50e837a3e0c4df842fe8c3aa54e103d690d67f89d78059878bd3acc
> 67ab/analysis/; classtype:trojan-activity; sid:1000873; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
> Win.Trojan.NeutrinoBot success inbound connection";
> flow:to_client,established; content:"404"; http_stat_code; file_data;
> content:"<!---c3VjY2Vzcw==--->"; metadata:ruleset community, service
> http; reference:url,blog.malwarebytes.com/threat-
> analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/;
> reference:url,www.virustotal.com/en/file/45abc50e837a3e0c4df842fe8c3aa5
> 4e103d690d67f89d78059878bd3acc67ab/analysis/; classtype:trojan-activity;
> sid:1000874; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.NeutrinoBot outbound connection"; flow:to_server,established;
> content:"POST"; http_method; content:"/tasks.php"; fast_pattern:only;
> http_uri; content:"Cookie|3A 20|auth="; http_header; content:"Connection|3A
> 20|close|0D 0A|"; http_header; content:"|20|form-data|3B|name=|22|fname|22|";
> content:"|20|form-data|3B 20|name=|22|data|22|"; content:!"Accept";
> http_header; content:!"Referer"; http_header; metadata:ruleset community,
> service http; reference:url,blog.malwarebytes.com/threat-
> analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/;
> reference:url,www.virustotal.com/en/file/45abc50e837a3e0c4df842fe8c3aa5
> 4e103d690d67f89d78059878bd3acc67ab/analysis/; classtype:trojan-activity;
> sid:1000875; rev:1;)
>
> Thanks.
> YM
>
>
> ------------------------------------------------------------
> ------------------
> Announcing the Oxford Dictionaries API! The API offers world-renowned
> dictionary content that is easy and intuitive to access. Sign up for an
> account today to start using our lexical data to power your apps and
> projects. Get started today and enter our developer competition.
> http://sdm.link/oxford
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!