Re: C2 - Zeus?

[Paul Bottomley <Paul.Bottomley () betfair com>]

Joel,

Have a look here:

http://urlquery.net/search.php?q=%5C%2Fimages%5C%2F%5Ba-zA-Z%5D%7B1%7D%5C.php%5C%3Fid%5C%3D%5B0-9%5D%7B2%2C%7D&type=regexp&start=2013-05-29&end=2013-06-13&max=50

Those 3 domains are definitely C2 servers (I've seen them all in pcaps I have)... there are probably more... so looking 
at the URL pattern its either 2 or 3 digits, and an optional period at the end, so you can probably change it yes.

I can send you a pcap I have directly if you like?

Thanks,
Paul

From: Joel Esler [mailto:jesler () sourcefire com]
Sent: 13 June 2013 18:46
To: Paul Bottomley
Cc: Snort-sigs
Subject: Re: [Snort-sigs] C2 - Zeus?

Paul,

A couple comments,

In your pcre you end with "id\=[0-9]{2,}", is there something after the two digits?  or does it end there?  (Can we do 
"id\=[0-9]{2}$")  As it stands right there, "2," will keep searching on and on.

Also, [a-zA-Z]{1}...  The {1} is unnecessary in this case.

Any pcaps here?


On Jun 13, 2013, at 7:28 AM, Paul Bottomley <Paul.Bottomley () betfair com<mailto:Paul.Bottomley () betfair com>> wrote:


Might need running in your test lab for a week or so to see what it picks up... From observation so no reference.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; 
flow:established,to_server; content:"/images/"; fast_pattern:only; http_uri; 
pcre:"/\/images\/[a-zA-Z]{1}\.php\?id\=[0-9]{2,}/Ui"; classtype:trojan-activity; sid:xxxxxx; rev:1;)

Thanks

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________
------------------------------------------------------------------------------
This SF.net<http://SF.net> email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!