Snort mailing list archives
Re: Win.Trojan.NeutrinoBot
From: Tyler Montier <tmontier () sourcefire com>
Date: Thu, 9 Mar 2017 11:25:50 -0500
Yaser, Thank you for your submission. We will review the rules and get back to you when they're finished. Sincerely, Tyler Montier Cisco Talos On Thu, Mar 9, 2017 at 1:49 AM, Y M <snort () outlook com> wrote:
Hello, The below rules were derived from the reference article. Reviewing the existing signature sid:32670, it may hit on the initial outbound connection. Subsequent traffic may not trigger the rule given the HTTP headers differences. No pcap is available for this one. If these rules seem redundant, please ignore them. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot initial outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie|3A 20|auth="; http_header; content:"ZW50ZXI="; http_client_body; content:!"Connection"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; reference:url,blog. malwarebytes.com/threat-analysis/2017/02/new-neutrino- bot-comes-in-a-protective-loader/; reference:url,www.virustotal. com/en/file/45abc50e837a3e0c4df842fe8c3aa54e103d690d67f89d78059878bd3acc 67ab/analysis/; classtype:trojan-activity; sid:1000873; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot success inbound connection"; flow:to_client,established; content:"404"; http_stat_code; file_data; content:"<!---c3VjY2Vzcw==--->"; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat- analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/; reference:url,www.virustotal.com/en/file/45abc50e837a3e0c4df842fe8c3aa5 4e103d690d67f89d78059878bd3acc67ab/analysis/; classtype:trojan-activity; sid:1000874; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie|3A 20|auth="; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:"|20|form-data|3B|name=|22|fname|22|"; content:"|20|form-data|3B 20|name=|22|data|22|"; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat- analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/; reference:url,www.virustotal.com/en/file/45abc50e837a3e0c4df842fe8c3aa5 4e103d690d67f89d78059878bd3acc67ab/analysis/; classtype:trojan-activity; sid:1000875; rev:1;) Thanks. YM ------------------------------------------------------------ ------------------ Announcing the Oxford Dictionaries API! The API offers world-renowned dictionary content that is easy and intuitive to access. Sign up for an account today to start using our lexical data to power your apps and projects. Get started today and enter our developer competition. http://sdm.link/oxford _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Announcing the Oxford Dictionaries API! The API offers world-renowned dictionary content that is easy and intuitive to access. Sign up for an account today to start using our lexical data to power your apps and projects. Get started today and enter our developer competition. http://sdm.link/oxford
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.NeutrinoBot Y M (Mar 08)
- Re: Win.Trojan.NeutrinoBot Tyler Montier (Mar 09)