Snort mailing list archives
Re: More information on the rule - sid:31557
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 29 Jan 2015 22:06:21 +0000
We’ve just released a new version of this rule, I suggest an update to the ruleset. That being said, please see below.
On Jan 29, 2015, at 1:49 PM, Irish Settingg <irishsetting () gmail com> wrote: Signature - BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre. The previous rule was - Rev 2: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Backdoor.Andromeda"; flow:to_server,established; content:"/2507US-1/"; http_uri; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url, www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/ <http://www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/>; classtype:trojan-activity; sid:31557; rev:2; ) The current rule is- Rev 3: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url, www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/ <http://www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/>; classtype:trojan-activity; sid:31557; rev:3; )Please tell us the reason of change in Contents-
The URI was removed as it deals with a specific campaign and country (see the 2507US? 2507 = campaign number for the malware install, US = country). So that doesn’t do us any good if we want to detect all the variants that user that User-Agent.
Win.Trojan.Upatre as per multiple websites doesnot do anything wherein it hides or strips the User-agent (Though I am sure it could have the option of doing it) Connections observed in the network is from internal machine to -http://search.msdn.microsoft.com/favicon.ico <http://search.msdn.microsoft.com/favicon.ico> or http://download.virtualbox.org/virtualbox/4.3.20/Oracle_VM_VirtualBox_Extension_Pack-4.3.20.vbox-extpack <http://download.virtualbox.org/virtualbox/4.3.20/Oracle_VM_VirtualBox_Extension_Pack-4.3.20.vbox-extpack>The only part which is suspicious is the user agent -User-Agent: Mozilla/5.0 I have not seen any browser to strip down the user agent in such a way that only the Platform is visible.Normal User agents are -Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
The whole User Agent that Upatre uses (in this example, there are a bunch of different user agents that Upatre uses), is Mozilla/5.0, which, as you indicate above, is not a real “browser-based” user-agent. Long story short, update the ruleset, we just released an update. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- More information on the rule - sid:31557 Irish Settingg (Jan 29)
- Re: More information on the rule - sid:31557 Joel Esler (jesler) (Jan 29)
- Re: More information on the rule - sid:31557 Irish Settingg (Jan 29)
- Re: More information on the rule - sid:31557 Joel Esler (jesler) (Jan 29)
- Re: More information on the rule - sid:31557 Irish Settingg (Jan 29)
- Re: More information on the rule - sid:31557 Joel Esler (jesler) (Jan 29)