Re: Aumlib malware

[Joel Esler <jesler () sourcefire com>]

Oh wait, sorry Nick, I didn’t see that you had this one, are you grabbing this one?

On Aug 12, 2013, at 11:47 AM, Nick Randolph <drandolph () sourcefire com> wrote:

> I think we should add in the MSIE 5 user-agent as a fast_pattern:only and maybe blacklist DNS rules for the domains 
> in use. I grabbed the samples and gave them a really quick look.
>
> 832f5e01be536da71d5b3f7e41938cfb
> That user-agent used in the POST to /bbs/search.asp and /buy-sell/search.asp?newsid= is static in the malware.
>    Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0)
> The domains are also static
>    info.xxuz.com and warnews.toh.info
>
> cb3dcde34fd9ff0e19381d99b02f9692
> Also uses static domains
>    documents.myPicture.info
>    ftp.documents.myPicture.info
>    www.documents.myPicture.info
>
> The URL changes slightly but the user-agent isn't as obvious in the binary. Since it's still reporting MSIE 5.0 then 
> it's probably still static
>   /bbs/info.asp
>
> aa873ed803ca800ce92a39d9a683c644
> This one is a word doc and looks like it gets picked up with sid:26832
>
>
> On Mon, Aug 12, 2013 at 11:40 AM, Ned Moran <ned () mysterymachine info> wrote:
> sample in question (832f5e01be536da71d5b3f7e41938cfb) can be found on VT.
>
> https://www.virustotal.com/en/file/c77afbe515536773777afebf500088e5b61cf23a6f527e6e39c0895e7be223c7/analysis/
>
> -Ned
>
>
> On 8/12/13 11:16 AM, Y M wrote:
> > Tried to get a sample of the executable from the urls mentioned in the reference but wasn't able to. Need more 
> > testing:
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Aumlib GET request"; 
> > flow:to_server,established; content:"GET"; http_method; content:"/buy-sell/"; http_uri; content:"search.asp"; 
> > http_uri; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service 
> > http; reference:url, 
> > fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; 
> > classtype:trojan-activity; sid:100023; rev:1;)
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Aumlib POST request"; 
> > flow:to_server,established; content:"POST"; http_method; content:"/bbs/"; http_uri; content:"search.asp"; nocase; 
> > http_uri; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service 
> > http; reference:url, 
> > fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; 
> > classtype:trojan-activity; sid:100022; rev:1;)
> > Thanks.YM                                      
> >
> >
> > ------------------------------------------------------------------------------
> > Get 100% visibility into Java/.NET code with AppDynamics Lite!
> > It's a free troubleshooting tool designed for production.
> > Get down to code-level detail for bottlenecks, with <2% overhead. 
> > Download for free and get started troubleshooting in minutes. 
> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> >
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> -- 
>
> Nick Randolph
> Research Engineer
> Sourcefire, Inc.
> nrandolph () sourcefire com
> Sourcefire.com
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead. 
> Download for free and get started troubleshooting in minutes. 
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!