Snort mailing list archives
Re: Win.Trojan.UDPOS
From: Phillip Lee <phillile () sourcefire com>
Date: Thu, 22 Mar 2018 10:07:19 -0400
Dear Yaser, This rule has been reviewed and added to the community ruleset (SID: 45963-49564, 49566-45968). Several modifications were made, including removing all pcre matches in the DNS rules proposed (unnecessary, better performance). Submitted Rules: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check"; flow:to_server,established; content:"/index.php?udpool="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45963; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|bin"; within:4; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45964; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|ping"; within:5; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45966; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|trp"; within:4; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45967; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|note"; within:5; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45968; rev:1;) Thank you for your contribution. Sincerely, Phil Lee Cisco Talos
On Feb 14, 2018, at 12:12 PM, Phillip Lee <phillile () sourcefire com> wrote: Thanks! -PhilOn Feb 14, 2018, at 11:44 AM, Y M <snort () outlook com <mailto:snort () outlook com>> wrote: Hi Phillip, The pcap is attached. The archive password is infected Thanks. Yaser From: Phillip Lee <phillile () sourcefire com <mailto:phillile () sourcefire com>> Sent: Wednesday, February 14, 2018 7:18:54 PM To: Y M Cc: snort-sigs () lists snort org <mailto:snort-sigs () lists snort org> Subject: Re: [Snort-sigs] Win.Trojan.UDPOS Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Can you send along the pcaps that you have? Regards, Phil Lee Cisco TalosOn Feb 13, 2018, at 12:49 PM, Y M via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () lists snort org>> wrote: Hi, The below signatures are of the UDPOS point-of-sale malware. Pcap is available for this one. Opted for a rule per message as opposed to bundling message types into two rules. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UDPOS external IP address check attempt"; flow:to_server,established; content:"User-Agent|3A 20|Browser|0D 0A|"; fast_pattern:only; http_header; content:"/index.php?"; http_uri; content:"udpool="; distance:0; http_uri; metadata:ruleset community, service http; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000025; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|bin"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x03bin(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000026; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|trp"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x03trp(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000027; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|info"; offset:16; byte_test:1,<,40,0,relative; byte_jump:1,0,relative; byte_test:1,<,40,0,relative; byte_jump:1,0,relative; byte_test:1,<40,35,0,relative; byte_jump:1,0,relative; byte_test:1,<=,40,0,relative; pcre:"/[a-f0-9]{15}\x04info(([\x10-\x28][a-f0-9]{10,40}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000028; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|ping"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x04ping(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000029; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|note"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x04note(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000030; rev:1;) Thanks. YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!<udpos_cnc.zip>
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.UDPOS Y M via Snort-sigs (Feb 13)
- Re: Win.Trojan.UDPOS Phillip Lee (Feb 14)
- Message not available
- Message not available
- Re: Win.Trojan.UDPOS Phillip Lee (Mar 22)
- Message not available
- Re: Win.Trojan.UDPOS Phillip Lee (Feb 14)