Re: More information on the rule - sid:31557

["Joel Esler (jesler)" <jesler () cisco com>]

We’ve just released a new version of this rule, I suggest an update to the ruleset.

That being said, please see below.

> On Jan 29, 2015, at 1:49 PM, Irish Settingg <irishsetting () gmail com> wrote:
>
> Signature - BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre.
>
>
> The previous rule was - 
>
> Rev 2: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent 
> string - Mozilla/5.0 - Win.Backdoor.Andromeda"; flow:to_server,established; content:"/2507US-1/"; http_uri; 
> content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header; metadata:policy balanced-ips 
> drop, policy security-ips drop, service http; reference:url, 
> www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/ 
> <http://www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/>; 
> classtype:trojan-activity; sid:31557; rev:2; )
>
>  
> The current rule is-
>
>  
> Rev 3: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent 
> string - Mozilla/5.0 - Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; 
> fast_pattern:5,20; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, 
> service http; reference:url, 
> www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/ 
> <http://www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/>; 
> classtype:trojan-activity; sid:31557; rev:3; )
>
>
> > > Please tell us the reason of change in Contents-

The URI was removed as it deals with a specific campaign and country (see the 2507US?  2507 = campaign number for the 
malware install, US = country).  So that doesn’t do us any good if we want to detect all the variants that user that 
User-Agent.


> > > Win.Trojan.Upatre as per multiple websites doesnot do anything wherein it hides or strips the User-agent (Though I 
> > > am sure it could have the option of doing it)
> > > Connections observed in the network is from internal machine to - 
> http://search.msdn.microsoft.com/favicon.ico <http://search.msdn.microsoft.com/favicon.ico> or 
> http://download.virtualbox.org/virtualbox/4.3.20/Oracle_VM_VirtualBox_Extension_Pack-4.3.20.vbox-extpack 
> <http://download.virtualbox.org/virtualbox/4.3.20/Oracle_VM_VirtualBox_Extension_Pack-4.3.20.vbox-extpack>
>
> > > The only part which is suspicious is the user agent - 
>
> User-Agent: Mozilla/5.0     
>
> I have not seen any browser to strip down the user agent in such a way that only the Platform is visible.
>
> > > Normal User agents are - 
> Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

The whole User Agent that Upatre uses (in this example, there are a bunch of different user agents that Upatre uses), 
is Mozilla/5.0, which, as you indicate above, is not a real “browser-based” user-agent.



Long story short, update the ruleset, we just released an update.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!