Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Win.Trojan.UDPOS

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 13 Feb 2018 17:49:10 +0000
Hi,


The below signatures are of the UDPOS point-of-sale malware. Pcap is available for this one. Opted for a rule per 
message as opposed to bundling message types into two rules.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UDPOS external IP address check 
attempt"; flow:to_server,established; content:"User-Agent|3A 20|Browser|0D 0A|"; fast_pattern:only; http_header; 
content:"/index.php?"; http_uri; content:"udpool="; distance:0; http_uri; metadata:ruleset community, service http; 
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; 
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; 
classtype:trojan-activity; sid:9000025; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|bin"; offset:16; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
pcre:"/[a-f0-9]{15}\x03bin(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; 
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; 
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; 
classtype:trojan-activity; sid:9000026; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|trp"; offset:16; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
pcre:"/[a-f0-9]{15}\x03trp(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; 
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; 
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; 
classtype:trojan-activity; sid:9000027; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|info"; offset:16; byte_test:1,<,40,0,relative; 
byte_jump:1,0,relative; byte_test:1,<,40,0,relative; byte_jump:1,0,relative; byte_test:1,<40,35,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,40,0,relative; 
pcre:"/[a-f0-9]{15}\x04info(([\x10-\x28][a-f0-9]{10,40}){4}).+\x00\x00/"; metadata:ruleset community, service dns; 
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; 
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; 
classtype:trojan-activity; sid:9000028; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|ping"; offset:16; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
pcre:"/[a-f0-9]{15}\x04ping(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; 
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; 
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; 
classtype:trojan-activity; sid:9000029; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|note"; offset:16; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
pcre:"/[a-f0-9]{15}\x04note(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; 
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; 
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; 
classtype:trojan-activity; sid:9000030; rev:1;)


Thanks.

YM


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: