Snort mailing list archives
Re: PRISM ransomware rules
From: Y M <snort () outlook com>
Date: Fri, 30 Aug 2013 20:01:03 +0000
Updated the last rules: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.PRISM outbound connection attempt - Get lock screen"; flow:to_server,established; content:"GET"; http_method; content:"/page/index_htm_files2/"; nocase; fast_pattern:only; pcre:"/\x2f[((xr)_a-z)|0-9]{3,}\x2e(css|js|jpg|png|txt)$/U"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:1000033; rev:3;) You may also want to add an event_filter to it in threshold.conf such as: event_filter gen_id 1, sig_id 1000033, type threshold, track by_src, count 20, seconds 60 Thanks.YM From: snort () outlook com To: snort-sigs () lists sourceforge net Date: Thu, 29 Aug 2013 14:33:42 +0000 Subject: [Snort-sigs] PRISM ransomware rules Another day another ransomware. Preserved a sample of the PRISM ransomware and up to VT; low detection rate. Rules below: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.PRISM outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/page/index.php"; nocase; http_uri; content:"foo="; nocase; http_cookie; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; fast_pattern:only; http_header; content:"data="; nocase; depth:5; offset:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:1000031; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request for known malware domain sectempus.biz - Win.Ransomware.PRISM"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sectempus|03|biz|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:1000032; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.PRISM outbound connection attempt"; flow:to_server,established; content:"GET"; http_method; content:"/page/index_htm_files2/"; nocase; fast_pattern:only; pcre:"/\x2f[a-z_|0-9]{2,}\x2e(css|js|jpg|png)$/U"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:1000033; rev:1;) The last rule will generate several alerts since the ransomware is noisy and makes a lot of GET requests to fetch resources such as .html, .png, .jpg, .js, and .css. A pcre expression is present in an attempt to trigger on all resource GET requests instead of a rule for each. However, it looks to me that its not the best solution. Any pointers in the right direction are welcome as always. ThanksYaser ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PRISM ransomware rules Y M (Aug 29)
- Re: PRISM ransomware rules Y M (Aug 30)