Re: More information on the rule - sid:31557

[Irish Settingg <irishsetting () gmail com>]

Is the rev number 4 for this rule ....the new one

On 30 January 2015 at 03:36, Joel Esler (jesler) <jesler () cisco com> wrote:

> We’ve just released a new version of this rule, I suggest an update to the
> ruleset.
>
> That being said, please see below.
>
> On Jan 29, 2015, at 1:49 PM, Irish Settingg <irishsetting () gmail com>
> wrote:
>
> Signature - BLACKLIST USER-AGENT known malicious user-agent string -
> Mozilla/5.0 - Win.Trojan.Upatre.
>
> The previous rule was -
>
> Rev 2: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0
> - Win.Backdoor.Andromeda"; flow:to_server,established; content:"/2507US-1/";
> http_uri; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20;
> nocase; http_header; metadata:policy balanced-ips drop, policy security-ips
> drop, service http; reference:url,
> www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/;
> classtype:trojan-activity; sid:31557; rev:2; )
>
>
> The current rule is-
>
>
> Rev 3: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0
> - Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A|
> Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header;
> metadata:impact_flag red, policy balanced-ips drop, policy security-ips
> drop, service http; reference:url,
> www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/;
> classtype:trojan-activity; sid:31557; rev:3; )
>
> > > Please tell us the reason of change in Contents-
>
>
> The URI was removed as it deals with a specific campaign and country (see
> the 2507US?  2507 = campaign number for the malware install, US =
> country).  So that doesn’t do us any good if we want to detect all the
> variants that user that User-Agent.
>
>
> > > Win.Trojan.Upatre as per multiple websites doesnot do anything wherein
> it hides or strips the User-agent (Though I am sure it could have the
> option of doing it)
> > > Connections observed in the network is from internal machine to -
> http://search.msdn.microsoft.com/favicon.ico or
>
>
> http://download.virtualbox.org/virtualbox/4.3.20/Oracle_VM_VirtualBox_Extension_Pack-4.3.20.vbox-extpack
>
>
> > > The only part which is suspicious is the user agent -
>
>
> User-Agent: Mozilla/5.0
> I have not seen any browser to strip down the user agent in such a way
> that only the Platform is visible.
>
> > > Normal User agents are -
>
> Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
>
>
> The whole User Agent that Upatre uses (in this example, there are a bunch
> of different user agents that Upatre uses), is Mozilla/5.0, which, as you
> indicate above, is not a *real* “browser-based” user-agent.
>
>
>
> Long story short, update the ruleset, we just released an update.
>
> --
> *Joel Esler*
> Open Source Manager
> Threat Intelligence Team Lead
> Talos
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!