Snort mailing list archives
Re: PRISM ransomware rules
From: Y M <snort () outlook com>
Date: Fri, 30 Aug 2013 20:01:03 +0000
Updated the last rules:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.PRISM outbound connection attempt
- Get lock screen"; flow:to_server,established; content:"GET"; http_method; content:"/page/index_htm_files2/"; nocase;
fast_pattern:only; pcre:"/\x2f[((xr)_a-z)|0-9]{3,}\x2e(css|js|jpg|png|txt)$/U"; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/;
classtype:trojan-activity; sid:1000033; rev:3;)
You may also want to add an event_filter to it in threshold.conf such as:
event_filter gen_id 1, sig_id 1000033, type threshold, track by_src, count 20, seconds 60
Thanks.YM
From: snort () outlook com
To: snort-sigs () lists sourceforge net
Date: Thu, 29 Aug 2013 14:33:42 +0000
Subject: [Snort-sigs] PRISM ransomware rules
Another day another ransomware. Preserved a sample of the PRISM ransomware and up to VT; low detection rate. Rules
below:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.PRISM outbound connection
attempt"; flow:to_server,established; content:"POST"; http_method; content:"/page/index.php"; nocase; http_uri;
content:"foo="; nocase; http_cookie; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|";
fast_pattern:only; http_header; content:"data="; nocase; depth:5; offset:0; http_client_body; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/;
classtype:trojan-activity; sid:1000031; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request for known malware domain sectempus.biz -
Win.Ransomware.PRISM"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sectempus|03|biz|00|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/;
classtype:trojan-activity; sid:1000032; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.PRISM outbound connection
attempt"; flow:to_server,established; content:"GET"; http_method; content:"/page/index_htm_files2/"; nocase;
fast_pattern:only; pcre:"/\x2f[a-z_|0-9]{2,}\x2e(css|js|jpg|png)$/U"; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/;
classtype:trojan-activity; sid:1000033; rev:1;)
The last rule will generate several alerts since the ransomware is noisy and makes a lot of GET requests to fetch
resources such as .html, .png, .jpg, .js, and .css. A pcre expression is present in an attempt to trigger on all
resource GET requests instead of a rule for each.
However, it looks to me that its not the best solution. Any pointers in the right direction are welcome as always.
ThanksYaser
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PRISM ransomware rules Y M (Aug 29)
- Re: PRISM ransomware rules Y M (Aug 30)