Snort mailing list archives
Re: Win.Trojan.KopiLuwak Turla JS
From: Tyler Montier <tmontier () sourcefire com>
Date: Tue, 14 Feb 2017 10:37:51 -0500
Yaser, Thanks for your submission. We will review and test the rules and get back to you when they're finished. Sincerely, Tyler Montier Cisco Talos On Tue, Feb 14, 2017 at 5:30 AM, Y M <snort () outlook com> wrote:
Hello,
The below signatures were derived from the article in the reference. Since
there are no pcaps available, the below assumptions/thoughts were made.
1. For the first rule, it is assumed that the custom User-Agent ends with
\x0d\x0a. It also may be a better idea to have the pcre as
"[A-Z0-9a-z]{32}", but it written to avoid ambi
2. To avoid pcre, individual signatures were created per HTTP response.
Perhaps it is better to combine all of them with pcre.
3. The HTTP response body does not end/contain any line terminators.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALAWARE-CNC
Win.Trojan.KopiLuwak JS outbound request"; flow:to_server,established;
content:"POST"; http_method; content:".php"; http_uri; content:"Mozilla/5.0
(Windows NT 6.1|3B| Win64|3B| x64)|3B| "; fast_pattern:only; http_header;
pcre:"/[0-9]{16}[A-Z0-9a-z]{16}\x0d\x0a$/mR";
flowbits:set,kopiluwak.js.out; flowbits:noalert; metadata:ruleset
community, service http; reference:url,securelist.com/
blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/;
classtype:trojan-activity; sid:1000828; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established;
flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|";
http_header; file_data; content:"good"; depth:4; isdataat:!0,relative;
metadata:ruleset community, service http; reference:url,securelist.com/
blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/;
classtype:trojan-activity; sid:1000829; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established;
flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|";
http_header; file_data; content:"exit"; depth:4; isdataat:!0,relative;
metadata:ruleset community, service http; reference:url,securelist.com/
blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/;
classtype:trojan-activity; sid:1000830; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established;
flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|";
http_header; file_data; content:"work"; depth:4; isdataat:!0,relative;
metadata:ruleset community, service http; reference:url,securelist.com/
blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/;
classtype:trojan-activity; sid:1000831; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established;
flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|";
http_header; file_data; content:"fail"; depth:4; isdataat:!0,relative;
metadata:ruleset community, service http; reference:url,securelist.com/
blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/;
classtype:trojan-activity; sid:1000832; rev:1;)
Thanks.
YM
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Win.Trojan.KopiLuwak Turla JS Y M (Feb 14)
- Re: Win.Trojan.KopiLuwak Turla JS Tyler Montier (Feb 14)