Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Win.Malware.Disttrack

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 20 Feb 2017 02:49:27 +0000
Hi,
Please go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: "ILLG, FREDERICK C" <fi763c () att com<mailto:fi763c () att com>>
Date: Sunday, February 19, 2017 at 8:38 PM
To: 'Y M' <snort () outlook com<mailto:snort () outlook com>>, "snort-sigs () lists sourceforge net<mailto:snort-sigs 
() lists sourceforge net>" <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>>
Subject: Re: [Snort-sigs] Win.Malware.Disttrack

Please remove me from the email distro.

Thank you!

Frederick Illg
Senior Specialist, Technology Security
Global Emerging Services - Security & Advanced Applications
AT&T Services, Inc.

From: Y M [mailto:snort () outlook com]
Sent: Sunday, February 19, 2017 12:52 AM
To: snort-sigs <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>>
Subject: [Snort-sigs] Win.Malware.Disttrack


Hello,



The below signatures address the following hashes and the observed C&C traffic. Pcaps and samples should be publicly 
available. If not, please let me know.


- f4d18316e367a80e1005f38445421b1f
- 45b0e5a457222455384713905f886bd4
- ce25f1597836c28cf415394fb350ae93
- 1b5e33e5a244d2d67d7a09c4ccf16e56
- 03ea9457bf71d51d8109e737158be888
- 19cea065aa033f5bcfa94a583ae59c08
- ecfc0275c7a73a9c7775130ebca45b74
- 43fad2d62bc23ffdc6d301571135222c

These were part of the analysis covered here:  
https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Malware.Disttrack second stage payload download 
response"; flow:to_client,established; content:"Content-type|3A 20|text/html|0D 0A 0D 0A|"; file_data; 
content:"powershell.exe"; nocase; content:"hidden"; nocase; within:50; content:!"Content-Length"; nocase; 
content:!"Connection"; nocase; content:!"Location"; nocase; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:1000849; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Malware.Disttrack third stage payload download 
response"; flow:to_client,established; content:"Content-type|3A 20|application/octet-stream|0D 0A 0D 0A|"; file_data; 
content:"function Invoke-ReflectivePEInjection"; nocase; content:!"Content-Length"; nocase; content:!"Connection"; 
nocase; content:!"Location"; nocase; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000850; 
rev:1;)

The below rules were simulated in the lab to detect the first stage payload documents in transit. Notes:

1. The first two rules are replicas of sid:26083 and sid:26084 respectively, with the modifications to look for .xlsm 
instead of .xlsx.
2. sid: 36611 triggered nicely on the suspected traffic.

alert tcp $HOME_NET any -> $EXTERNAL $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Excel macro-enabled file download 
request"; flow:to_server,established; content:".xlsm"; fast_pattern:only; http_uri; 
pcre:"/\x2exlsm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xlsm; metadata:service http; classtype:misc-activity; 
sid:1000851; rev:1;)

alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel macro-enabled file 
attachment detected"; flow:to_client,established; content:".xlsm"; fast_pattern:only; content:"Content-Disposition: 
attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exlsm/i"; flowbits:set,file.xlsm; 
metadata:service imap, service pop3; classtype:misc-activity; sid:1000852; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTITY Microsoft Office Excel macro-enabled file 
download response"; flow:to_client,established; content:"Content-Type|3A 
20|application/vnd.ms-excel.sheet.macroEnabled"; fast_pattern:only; http_header; file_data; content:"|50 4B 03 04|"; 
depth:4; flowbits:set,file.xlsm; metadata:service http; classtype:misc-activity; sid:1000853; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTITY Microsoft Office OLE CF file download 
response"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; fast_pattern; 
flowbits:set,file.olecf; metadata:service http; classtype:misc-activity; sid:1000854; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Microsoft Office OLE CF file with PowerShell 
content download"; flow:to_client,established; flowbits:isset,file.olecf; file_data; content:"-window"; 
content:"hidden"; within:15; content:"powershell.exe"; metadata:service http; classtype:misc-activity; sid:1000855; 
rev:1;)

Thank you.
YM





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: