Snort mailing list archives
Re: [Emerging-Sigs] Wirelurker A and B
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 06 Nov 2014 13:35:21 -0700
On 2014-11-06 13:16, rmkml wrote:
Thx James and James ;) Maybe add http_header please ? Regards @Rmkml On Thu, 6 Nov 2014, James Espinosa wrote:Thanks, James! I believe there should be a space between the User-Agent|3A| and globalupdate (at least it appears that way in the report). Can I suggest the following as a fix? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Wirelurker.AB"; flow:to_server,established; content:"User-Agent|3A| globalupdate"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference: url,researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware; classtype:trojan-activity; sid:10000138; rev:1;) Thanks, james espinosa security researcher 847.497.5237 @ jamesejr.com On Thu, Nov 6, 2014 at 10:47 AM, James Lay <jlay () slave-tothe-box net> wrote: May help someone somewhere...a quick search of http://www.ua-tracker.com/ showed no known UA with globalupdate, so I figured I'd just look for that and be done with it. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Wirelurker.AB"; flow:to_server,established; content:"User-Agent|3A|globalupdate"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference: url,researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware; classtype:trojan-activity; sid:10000138; rev:1;) Rev C uses encrypted channels, so uh...hope you don't get C. As always fixes are welcome. James _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
Heh...thanks James and @Rmkml...good catch to both: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Wirelurker.AB"; flow:to_server,established; content:"User-Agent|3A| globalupdate"; http_header; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference: url,researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware; classtype:trojan-activity; sid:10000138; rev:1;) James ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Wirelurker A and B James Lay (Nov 06)
- Re: [Emerging-Sigs] Wirelurker A and B James Espinosa (Nov 06)
- Re: [Emerging-Sigs] Wirelurker A and B rmkml (Nov 06)
- Re: [Emerging-Sigs] Wirelurker A and B James Lay (Nov 06)
- Re: [Emerging-Sigs] Wirelurker A and B rmkml (Nov 06)
- Re: [Emerging-Sigs] Wirelurker A and B James Espinosa (Nov 06)