Re: Win.Trojan.Proxysvc

[Phillip Lee <phillile () sourcefire com>]

Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished. 

Regards,
Phil Lee
Cisco Talos

> On Apr 27, 2018, at 10:13 AM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote:
>
> Hi,
>
> I was not able to find information to write signatures of the TLS traffic. However, the malware listener accepts 
> rather unique HTTP traffic according to the analysis in the reference. No pcaps available.
>
> # Title: Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide
> # Reference: 
> https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ 
> <https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Proxysvc listener inbound execute command"; 
> flow:to_server,established; content:"Content-Type|3A 20|8U7y3Ju387mVp49A"; fast_pattern:only; http_header; 
> content:"Content-Length"; http_header; metadata:ruleset community, service http; 
> reference:url,securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/
>  
> <http://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/>;
>  classtype:trojan-activity; sid:8000019; rev:1;)
>
> Thanks.
> YM
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
> <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
> catch the most <a href=" https://snort.org/downloads/#rule-downloads 
> <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!