Snort mailing list archives
Re: Win32/64 Napolar sig
From: Nick Randolph <drandolph () sourcefire com>
Date: Mon, 30 Sep 2013 11:17:28 -0400
This is what we ended up with
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Napolar outbound connection attempt"; flow:to_server,
established; content:"POST"; http_method; content:"v="; http_client_body;
content:"|26|u="; within:3; distance:3; http_client_body; content:"|26|c=";
distance:0; http_client_body; content:"|26|s={"; distance:0;
http_client_body; content:"}|26|w="; within:4; distance:36;
http_client_body; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http; reference:url,
www.virustotal.com/en/file/463d39dcbf19b5c4c9e314e5ce77bf8a51848b8c7d64e4f0a6656b9d28941e2e/analysis/;
classtype:trojan-activity; sid:28079; rev:1;)
Another contributor submitted this as well
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Napolar trojan data theft"; flow:to_server,established;
content:".exe&h="; fast_pattern:only; http_client_body; content:"p=";
depth:2; http_client_body; metadata:impact_flag red, policy security-ips
drop, ruleset community, service http; reference:url,
www.virustotal.com/en/file/12781be5908ecc3dbf4a459e4cbc7bedb654b50236f7a961e85f3af5e2275ddf/analysis/;
classtype:trojan-activity; sid:28080; rev:1;)
On Wed, Sep 25, 2013 at 5:32 PM, James Lay <jlay () slave-tothe-box net> wrote:
On 2013-09-25 15:24, James Lay wrote:On 2013-09-25 14:21, Nick Randolph wrote:I would bet that the USER_NAME and COMP_NAME are variable depending on the victim. Avast might have removed them to hide some internal data. They did include some hashes so Ill run those through our sandbox and let you know what I see. On Wed, Sep 25, 2013 at 3:30 PM, James Lay <jlay () slave-tothe-box net [7]> wrote:First attempt...hope it doesnt stink :) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC W32/64.Napolar initial POST"; flow:to_server, established; file_data; content:"|26|u=USER_NAME|26|c=COMP_NAME|26|s="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http, ruleset community;reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/[1]; classtype:trojan-activity; sid:10000099; rev:1;) JamesYep...variables:http://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/Darn. JamesMeh: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC W32/64.Napolar initial POST"; flow:to_server, established; file_data; content:"POST"; http_method; content:"v="; content:"|26|u="; content:"|26|c="; content:"|26|s="; metadata:policy balanced-ips drop, policy security-ips drop, service http, ruleset community; reference:url, blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/ ; classtype:trojan-activity; sid:10000099; rev:2;) This is probably cheesy....bet the proper way would be to lookup max username and machine name and allowed characters for winders and PCRE it up...but to be real honest I'm just not in the mood for pcre today ;) James ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Nick Randolph Research Engineer Sourcefire, Inc. nrandolph () sourcefire com Sourcefire.com <http://www.sourcefire.com/>
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Win32/64 Napolar sig James Lay (Sep 25)
- Re: Win32/64 Napolar sig Nick Randolph (Sep 25)
- Re: Win32/64 Napolar sig James Lay (Sep 25)
- Re: Win32/64 Napolar sig James Lay (Sep 25)
- Re: Win32/64 Napolar sig James Lay (Sep 25)
- Re: Win32/64 Napolar sig Nick Randolph (Sep 30)
- Re: Win32/64 Napolar sig Nick Randolph (Sep 25)