Snort mailing list archives
APT - Backdoor:W32/Wonknu.A
From: Lenny Hansson <security () netcowboy dk>
Date: Thu, 26 Nov 2015 17:56:31 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 F-Secure have released information about Backdoor:W32/Wonknu.A witch is believed to be a state sponsored targeted attack. Link: https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean- us-summit/ I have created 8 IDS Rules based on the information from F-Secure. I don't believe that the rules can be used for other the replay of traffic from the period around 21 November 2015. If anyone know the serial number from the certificate there have been used in the attack - please contact me. Feel free to use them - --------------------------------------------------------------------- alert tcp $HOME_NET any -> $EXTENAL_NET $HTTP_PORTS (msg:"NF - APT - W32/Wonknu.A"; flow:to_server,established; content:"GET"; depth:3; nocase; http_method; content:"Meeting.rar"; nocase; http_uri; content:"arc.asean.org"; nocase; http_header; reference:url,http://networkforensic.dk/; reference:url,https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for- the-3rd-asean-us-summit/; metadata:26112015 Priority:1; sid:5019101; rev:1;) alert tcp $HOME_NET any -> 43.240.119.35 $HTTP_PORTS (msg:"NF - APT - W32/Wonknu.A"; flow:to_server,established; content:"GET"; depth:3; nocase; http_method; content:"/arc/Jquery.js"; nocase; http_uri; reference:url,http://networkforensic.dk/; reference:url,https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for- the-3rd-asean-us-summit/; metadata:26112015 Priority:1; sid:5019102; rev:1;) alert tcp $HOME_NET any -> 178.79.181.246 $HTTP_PORTS (msg:"NF - APT - W32/Wonknu.A"; flow:to_server,established; content:"GET"; depth:3; nocase; http_method; content:"/microsoft/Java_Down.exe"; nocase; http_uri; reference:url,http://networkforensic.dk/; reference:url,https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for- the-3rd-asean-us-summit/; metadata:26112015 Priority:1; sid:5019103; rev:1;) alert tcp $HOME_NET any -> 178.79.181.246 $HTTP_PORTS (msg:"NF - APT - W32/Wonknu.A"; flow:to_server,established; content:"GET"; depth:3; nocase; http_method; content:"/microsoft/jquery.js"; nocase; http_uri; reference:url,http://networkforensic.dk/; reference:url,https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for- the-3rd-asean-us-summit/; metadata:26112015 Priority:1; sid:5019104; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NF - APT - W32/Wonknu.A"; flow:to_server,established; content:"GET"; depth:3; nocase; http_method; content:"/java/javaws.exe"; nocase; http_uri; content:"sft.spiritaero.com"; nocase; http_header; reference:url,http://networkforensic.dk/; reference:url,https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for- the-3rd-asean-us-summit/; metadata:26112015 Priority:1; sid:5019105; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"NF - APT - W32/Wonknu.A - DNS Lookup (sft.spiritaero.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|abuhmaid|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,http://networkforensic.dk/; reference:url,https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for- the-3rd-asean-us-summit/; metadata:26112015 Priority:1; sid:5019106; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"NF - APT - W32/Wonknu.A - DNS Lookup (arc.asean.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|abuhmaid|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,http://networkforensic.dk/; reference:url,https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for- the-3rd-asean-us-summit/; metadata:26112015 Priority:1; sid:5019107; rev:1;) alert tcp $HOME_NET any -> 43.240.119.40 443 (msg:"NF - APT - W32/Wonknu.A - TCP Connection to malware site"; flow:to_server,established; detection_filter:track by_src, count 2, seconds 30; reference:url,http://networkforensic.dk/; reference:url,https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for- the-3rd-asean-us-summit/; metadata:26112015 Priority:1; sid:5019108; rev:1;) - -- Venlig hilsen / Best Regards Lenny Hansson *********************************** Web: networkforensic.dk *********************************** E-mail: security () netcowboy dk Key-ID: 1527E63D *********************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWVzm+AAoJEAUh+LgVJ+Y9ElQH/RIXCOv0lenoFjpoQJjf/ddr KchxUGfSj/J398zRMk4yx6xPKjZceZL5FWfsJ3RBgkQJAX5EECWxGWYVGBZK4D3s unvQXJaXO4hCOFz9d1kFOA827Oqaq8KHLP7b+t4TcgV1JJmDJs2IMcUe+mklQ4EB PBgyyTs+sRkSrRmpz6Iwn01LKzwBSSqsjUx7489Z3gElOPYTCPnMou+eaC7SkMmd mE+uhtjOjhq+KI/VxaYrWRFWgSwD8tTpJq7o/4XDfG3NQ+/1yqqyNn09e26Qm1RO CTFWKTa2upZeO2vqaHZKVXjFPWJtvnZvD5uMQJISnSLH15oRekDFUSLIb6+7z10= =kmGj -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- APT - Backdoor:W32/Wonknu.A Lenny Hansson (Nov 26)