Snort mailing list archives
Re: Zebrocy family sigs
From: Phillip Lee <phillile () sourcefire com>
Date: Fri, 27 Apr 2018 10:48:25 -0400
Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Can you send along the pcaps that you have? Regards, Phil Lee Cisco Talos
On Apr 27, 2018, at 10:03 AM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote: Hi, The below rules are based on the information provided by the reference. The traffic from the hashes listed below was tested against the rules. Pcap are available. # Title: Sednit update: Analysis of Zebrocy # Reference: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ <https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/> # Tests: pcap # Hashes: 54b14fc84f152b43c63babc46f2597b053e94627 (Delf Downloader), d379b94a3eb4fd9c9a973f64d436d7fc2e9d6762 (AutoIt Downloader), 4ccbe222bd97dc229b36efaf52520939da9d51c8 (Delf Backdoor), cdf9c24b86bc9a872035dcf3f53f380c904ed98b (Delf Backdoor) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?fort="; fast_pattern:only; http_uri; content:"pol="; http_client_body; content:"Accept-Encoding|3A 20|identity|0D 0A|"; http_header; pcre:"/\.(php|dat)\x3ffort\x3d[A-Z0-9]{8,16}/U"; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ <http://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/>; classtype:trojan-activity; sid:8000022; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/protocol.php"; fast_pattern:only; http_uri; content:"porg="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ <http://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/>; classtype:trojan-activity; sid:8000023; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family AutoIt downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"dbgate="; fast_pattern:only; http_client_body; content:"win32="; http_client_body; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ <http://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/>; classtype:trojan-activity; sid:8000024; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi backdoor outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"Content-Disposition: form-data|3B| name=|22|userfile|22 3B| filename=|22|"; fast_pattern:only; http_client_body; content:"Accept-Encoding|3A 20|identity|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ <http://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/>; classtype:trojan-activity; sid:8000025; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family bad known user-agent"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla v"; fast_pattern:only; http_header; pcre:"/User-Agent\x3a\x20Mozilla\x20v[0-9]/Hi"; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ <http://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/>; classtype:trojan-activity; sid:8000026; rev:1;) Thanks YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Zebrocy family sigs Y M via Snort-sigs (Apr 27)
- Re: Zebrocy family sigs Phillip Lee (Apr 27)