Snort mailing list archives
Win.Malware.Disttrack
From: Y M <snort () outlook com>
Date: Fri, 10 Feb 2017 09:45:05 +0000
Hello, The below signatures are derived from the article in the reference. There is a hardcoded User-Agent with HTTP "parameters". It is not clear whether these parameters are HTTP URL or Body parameters. There is also a mention of a specific domain. The rules have been sanity checked only. No pcaps available. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Disttrack variant outbound connection"; flow:to_server,established; content:"commandid="; nocase; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/5.0 (Windows NT 6.3|3B| Trident/7.0|3B| rv:11) like Gecko|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:1000825; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Disttrack variant outbound connection"; flow:to_server,established; content:"commandid="; nocase; fast_pattern:only; http_client_body; content:"User-Agent|3A 20|Mozilla/5.0 (Windows NT 6.3|3B| Trident/7.0|3B| rv:11) like Gecko|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:1000826; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain update.winappupdater.com - Win.Malware.Disttrack"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|update|0D|winappupdater|03|com|00|"; fast_pattern:only; metadata:ruleset community, service dns; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:1000827; rev:1;) Thank you. YM
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Win.Malware.Disttrack Y M (Feb 10)
- Re: Win.Malware.Disttrack Tyler Montier (Feb 10)
- Re: Win.Malware.Disttrack Y M (Feb 10)
- <Possible follow-ups>
- Win.Malware.Disttrack Y M (Feb 18)
- Re: Win.Malware.Disttrack ILLG, FREDERICK C (Feb 19)
- Re: Win.Malware.Disttrack Al Lewis (allewi) (Feb 19)
- Re: Win.Malware.Disttrack Tyler Montier (Feb 10)