Re: Urausy rules

[Nick Randolph <drandolph () sourcefire com>]

I added a urilen to the CNC rule, this should reduce the number of times
the PCRE is evaluated. The final rules are below.

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain www.wolfvr.com"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|06|wolfvr|03|com|00|"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community,
service dns; reference:url,
www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/;
classtype:trojan-activity; sid:27707; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Ransomware.Urausy outbound connection attempt";
flow:to_server,established; urilen:>145,norm; content:".html"; http_uri;
content:"User-Agent|3A| Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows
NT 6.1|3B| Trident/5.0"; fast_pattern:only;
pcre:"/\x2f[a-z-_]{80,}\x2ehtml$/U"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,
www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/;
classtype:trojan-activity; sid:27708; rev:1;)




On Sun, Aug 25, 2013 at 12:21 PM, Joel Esler <jesler () sourcefire com> wrote:

> Thanks.  I believe Nick is already looking at these.  Thanks.
>
>
> --
> Joel Esler
> Sent from my iPad
>
> On Aug 24, 2013, at 8:04 AM, Y M <snort () outlook com> wrote:
>
>  Got my hands on a sample of ransomware and been running it on my test
> lab for a while now (pcaps attached). It turned out to be Urausy and I
> already uploaded it to VirusTotal. Below are two rules: one for outbound
> connection and the other for a DNS request. It seems the domain is
> hardcoded.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Ransomware.Urausy outbound connection attempt";
> flow:to_server,established; content:"GET"; http_method; content:".html";
> http_uri; content:"User-Agent|3A| Mozilla/5.0 |28|compatible|3B| MSIE
> 9.0|3B| Windows NT 6.1|3B| Trident/5.0"; fast_pattern:only;
> pcre:"/\/[a-z-_]{80,}\.html$/U"; metadata: impact_flag red, policy
> balanced-ips drop, policy security-ips drop, ruleset community, service
> http; reference:url,
> www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/";
> classtype:trojan-activity; sid:100029; rev:2;)
>
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
> malware domain www.wolfvr.com"; flow:to_server; byte_test:1,!&,0xF8,2;
> content:"|06|wolfvr|03|com|00|"; fast_pattern:only; metadata:impact_flag
> red, policy balanced-ips drop, policy security-ips drop, ruleset community,
> service dns; reference:url,
> www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/;
> classtype:trojan-activity; sid:100030; rev:1;)
>
> Any help in improving these is welcome, thanks.
> YM
>
> <Urausy.pcap>
>
> <Urausy_DNS.pcap>
>
>
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and
> AppDynamics. Performance Central is your source for news, insights,
> analysis and resources for efficient Application Performance Management.
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and
> AppDynamics. Performance Central is your source for news, insights,
> analysis and resources for efficient Application Performance Management.
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph () sourcefire com
Sourcefire.com <http://www.sourcefire.com/>

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!