Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple signatures 005

From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Mon, 23 Jul 2018 14:55:58 -0400
On Mon, Jul 23, 2018 at 12:59 PM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:


Hi,

May I suggest enjoying a21b5295ca0e1f10ca7c3f76b632e4de
(Win.Trojan.Swrort below); PowerShell command execution via DNS TXT
response. Pcaps are available for all of the rules.

# --------------------
# Date: 2018-07-21
# Title: Win.Trojan.Fuerboos, Win.Trojan.NeutrinoBot
# Tests: pcap
# Reference:
#    - https://www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173
e615c2f3d95a46f2059d06050dd7dbcb0f/detection
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.NeutrinoBot variant outbound connection";
flow:to_server,established; content:"/tasks.php"; fast_pattern:only;
http_uri; content:"Cookie: "; http_header; content:"auth=1";
http_client_body; metadata:ruleset community, service http; reference:url,
www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173
e615c2f3d95a46f2059d06050dd7dbcb0f/detection; classtype:trojan-activity;
sid:8000190; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.NeutrinoBot variant outbound connection";
flow:to_server,established; content:"/tasks.php"; fast_pattern:only;
http_uri; content:"Cookie: "; http_header; content:"cmd=";
http_client_body; content:"&uid="; http_client_body; content:"&os=";
http_client_body; content:"&av="; http_client_body; metadata:ruleset
community, service http; reference:url,www.virustotal.com/#/file/
8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection;
classtype:trojan-activity; sid:8000191; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.NeutrinoBot variant outbound connection";
flow:to_server,established; content:"/tasks.php"; fast_pattern:only;
http_uri; content:"Cookie: "; http_header; content:"fail=";
http_client_body; content:"&task_id="; http_client_body; metadata:ruleset
community, service http; reference:url,www.virustotal.com/#/file/
8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection;
classtype:trojan-activity; sid:8000192; rev:1;)

# --------------------
# Date: 2018-07-21
# Title: Win.Trojan.GenKryptik (Talso File Reputation:
W32.3A4A773CDF-95.SBX.TG)
# Tests: pcap
# Reference:
#    - https://www.virustotal.com/#/file/3a4a773cdfa20182f6fab817d010a0
a47e94784e1b02e009c1c5c9766b43a25f/detection
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.GenKryptik outbound connection"; flow:to_server,established;
urilen:10; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B|
Windows NT 5.1)"; fast_pattern:only; http_header; content:"/index.php";
http_uri; content:"POST"; http_method; content:"Content-Length";
http_header; content:!"Content-Type"; http_header; content:!"Connection";
http_header; content:!"Accept"; http_header; content:!"Referer";
http_header; metadata:ruleset community, service http; reference:url,
www.virustotal.com/#/file/3a4a773cdfa20182f6fab817d010a0
a47e94784e1b02e009c1c5c9766b43a25f/detection; classtype:trojan-activity;
sid:8000194; rev:1;)

# --------------------
# Date: 2018-07-22
# Title: Win.Trojan.MSIL (ClamAV: Win.Trojan.Agent-1288686, Talos File
Reputation: W32.Auto:cc093c.in03.Talos)
# Tests: pcap
# Reference:
#    - https://www.virustotal.com/#/file/cc093cca83f700878856b06cb3623a
912550d44f82071e88cbbc160381391a91/detection
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.MSIL outbound conneciton"; flow:to_server,established;
content:"&wallets="; fast_pattern:only; http_uri; content:"?hwid=";
http_uri; content:"&pswd="; http_uri; content:"&telegram="; http_uri;
content:"name=|22|file|22 3B|"; http_client_body; content:!"User-Agent";
http_header; metadata:ruleset community, service http; reference:url,
www.virustotal.com/#/file/cc093cca83f700878856b06cb3623a
912550d44f82071e88cbbc160381391a91/detection; classtype:trojan-activity;
sid:8000195; rev:1;)

# --------------------
# Date: 2018-07-22
# Title: Win.Trojan.Swrort (ClamAV: Win.Trojan.Swrort-5710536-0)
# Tests: pcap
# Reference:
#    - https://www.virustotal.com/#/file/c4f069d079330cd46e51f9469c2701
5ed34c6371481df83a323bc098f3b53382/detection
# Confidence: medium
# Notes:
#    - PowerShell execution via DNS TXT
#    - The word "shino" in the domains maybe referred as "what" in some
dialects

alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC PowerShell command in
DNS TXT Response"; flow:to_client; dsize:>100; content:"|00 10 00 01 00
00|"; content:"powershell "; distance:0; nocase; metadata:ruleset
community, service dns; reference:url,www.virustotal.com/#/file/
c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection;
classtype:trojan-activity; sid:8000196; rev:1;)

alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC PowerShell command in
DNS TXT Response"; flow:to_client; dsize:>100; content:"|00 10 00 01 00
00|"; content:"new-object net.webclient"; nocase; metadata:ruleset
community, service dns; reference:url,www.virustotal.com/#/file/
c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection;
classtype:trojan-activity; sid:8000197; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS
request for known malware domain shinohack.me - Win.Trojan.Swrort";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|shinohack|02|me";
fast_pattern:only; content:"|00 10 00 01|"; distance:0; metadata:ruleset
community, service dns; reference:url,www.virustotal.com/#/file/
c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection;
classtype:trojan-activity; sid:8000198; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS
request for known malware domain shinobotps1.com - Win.Trojan.Swrort";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|shinobotps1|03|com";
fast_pattern:only; content:"|00 01 00 01|"; distance:0; metadata:ruleset
community, service dns; reference:url,www.virustotal.com/#/file/
c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection;
classtype:trojan-activity; sid:8000199; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Swrort inbound SSL certificate"; flow:to_client,established;
content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|";
distance:3; content:"|55 04 03 13 0F|shinobotps1.com"; metadata:ruleset
community, service ssl; reference:url,app.any.run/
tasks/95c76eff-5118-46d1-9e62-cc5d4d2a1310; classtype:trojan-activity;
sid:8000200; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-
the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!



Hi Yaser,

Thanks for these submissions. We will review each of them and get back to
you when finished.  We'd appreciate any pcaps you could send, including the
follow-up email you sent for CVE-2018-2894. Have a great day!


-- 
Marcos Rodriguez
Cisco Talos

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: