Snort mailing list archives
Re: Osx.Trojan.Xagent
From: Tyler Montier <tmontier () sourcefire com>
Date: Tue, 28 Feb 2017 08:25:02 -0500
Yaser, Thanks for your submission. I'll review and test this and get back to you when its finished. Since you have a pcap, can you send it my way? Tyler Montier Cisco Talos On Mon, Feb 27, 2017 at 12:54 PM, Y M <snort () outlook com> wrote:
Hello,
After trying multiple combinations, the below set of rules were the most
efficient among all the combinations I had when profiled. Pcap is available.
The rules are divided into two sets. The first is a catch-all regardless
of the URL. The second set is tailored according to each URL. In either
sets, the rules should catch (I think) both GET and POST requests; the
resulting pcap did not contain any POST requests.
First Set:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
content:"/?"; fast_pattern:only; http_uri; content:" (unknown version) ";
http_header; content:" Darwin/"; within:30; http_header; content:"Accept|3A
20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|keep-alive|0D 0A|";
http_header; pcre:"/\/(search|find|results|open|search|close|watch)\/\x3f[a-zA-Z]{2,8}\x3d/U";
content:!"Referer"; http_header; content:!"Cookie"; http_header;
metadata:ruleset community, service http; reference:url,http://
contagiodump.blogspot.com/2017/02/russian-apt-apt28-
collection-of-samples.html; reference:url,download.
bitdefender.com/resources/files/News/CaseStudies/study/
143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
classtype:trojan-activity; sid:1000860; rev:1;)
Or, the second Set:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
content:"/search/?"; fast_pattern:only; http_uri; content:" (unknown
version) "; http_header; content:" Darwin/"; within:30; http_header;
content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A
20|keep-alive|0D 0A|"; http_header; pcre:"/\/search\/\x3f[a-zA-Z]{2,8}\x3d/U";
content:!"Referer"; http_header; content:!"Cookie"; http_header;
metadata:ruleset community, service http; reference:url,http://
contagiodump.blogspot.com/2017/02/russian-apt-apt28-
collection-of-samples.html; reference:url,download.
bitdefender.com/resources/files/News/CaseStudies/study/
143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
classtype:trojan-activity; sid:1000861; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
content:"/watch/?"; fast_pattern:only; http_uri; content:" (unknown
version) "; http_header; content:" Darwin/"; within:30; http_header;
content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A
20|keep-alive|0D 0A|"; http_header; pcre:"/\/watch\/\x3f[a-zA-Z]{2,8}\x3d/U";
content:!"Referer"; http_header; content:!"Cookie"; http_header;
metadata:ruleset community, service http; reference:url,http://
contagiodump.blogspot.com/2017/02/russian-apt-apt28-
collection-of-samples.html; reference:url,download.
bitdefender.com/resources/files/News/CaseStudies/study/
143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
classtype:trojan-activity; sid:1000862; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
content:"/open/?"; fast_pattern:only; http_uri; content:" (unknown version)
"; http_header; content:" Darwin/"; within:30; http_header;
content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A
20|keep-alive|0D 0A|"; http_header; pcre:"/\/open\/\x3f[a-zA-Z]{2,8}\x3d/U";
content:!"Referer"; http_header; content:!"Cookie"; http_header;
metadata:ruleset community, service http; reference:url,http://
contagiodump.blogspot.com/2017/02/russian-apt-apt28-
collection-of-samples.html; reference:url,download.
bitdefender.com/resources/files/News/CaseStudies/study/
143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
classtype:trojan-activity; sid:1000863; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
content:"/find/?"; fast_pattern:only; http_uri; content:" (unknown version)
"; http_header; content:" Darwin/"; within:30; http_header;
content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A
20|keep-alive|0D 0A|"; http_header; pcre:"/\/find\/\x3f[a-zA-Z]{2,8}\x3d/U";
content:!"Referer"; http_header; content:!"Cookie"; http_header;
metadata:ruleset community, service http; reference:url,http://
contagiodump.blogspot.com/2017/02/russian-apt-apt28-
collection-of-samples.html; reference:url,download.
bitdefender.com/resources/files/News/CaseStudies/study/
143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
classtype:trojan-activity; sid:1000864; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
content:"/results/?"; fast_pattern:only; http_uri; content:" (unknown
version) "; http_header; content:" Darwin/"; within:30; http_header;
content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A
20|keep-alive|0D 0A|"; http_header; pcre:"/\/results\/\x3f[a-zA-Z]{2,8}\x3d/U";
content:!"Referer"; http_header; content:!"Cookie"; http_header;
metadata:ruleset community, service http; reference:url,http://
contagiodump.blogspot.com/2017/02/russian-apt-apt28-
collection-of-samples.html; reference:url,download.
bitdefender.com/resources/files/News/CaseStudies/study/
143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
classtype:trojan-activity; sid:1000865; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
content:"/close/?"; fast_pattern:only; http_uri; content:" (unknown
version) "; http_header; content:" Darwin/"; within:30; http_header;
content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A
20|keep-alive|0D 0A|"; http_header; pcre:"/\/close\/\x3f[a-zA-Z]{2,8}\x3d/U";
content:!"Referer"; http_header; content:!"Cookie"; http_header;
metadata:ruleset community, service http; reference:url,download.
bitdefender.com/resources/files/News/CaseStudies/study/
143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
classtype:trojan-activity; sid:1000866; rev:1;)
Thank you.
YM
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Osx.Trojan.Xagent Y M (Feb 27)
- Re: Osx.Trojan.Xagent Tyler Montier (Feb 28)