[Snort-openappid] Wondershare apps detector

Y M snort at ...46...
Tue Nov 3 03:47:25 EST 2015


Hello,


32 applications of Wondershare have been tested and the below detector is created. Please feel free to modify as necessary. Per-app pcaps are available if required.


--[[
detection_name: wondershare_ap
version: 1
description: Wondershare apps for Windows. The following apps were tested
bundle_description: $VAR1 = {
'1-Click PC Care' => 'app for fixing PC problems'
                'Data Recovery' => 'app for recovering files from storage'
                'DemoCreator' => 'app for screen recording'
                'DreamStream' => 'app for managing digital media'
                'Dr.Fone for Android' => 'app to recover deleted contacts, messages, WhatsApp messages, photos, etc. from Android devices'
'Dr.Fone for iOS' => 'app to recover deleted contacts, messages, photos, etc. from iOS devices'
                'DVD Creator' => 'app for burning videos, audio, and images to DVDs'
                'DVD Slideshow Builder Deluxe' => 'app for building DVD slideshows from photos and vidoes'
                'Fantashow' => 'app for creating videos'
                'Filmora' => 'app for editing clips, music, and text'
                'Flash Galary Factory Deluxe' => 'app for creating flash slideshow'
                'Free YouTube Downloader' => 'app for downloading videos from YouTube'
                'MePub' => 'app for creating EPUB ebooks'
                'MirrorGo' => 'app for mirroting phone on computer'
                'MobileGo' => 'app for managing mobile lifestyle'
                'MobileTrans' => 'app to transfer contacts, messages, call logs, calnder, photos, etc. between iPhone, Android, Nokia, and BlackBerry'
                'PDF Converter Pro' => 'app for converting MS document types to PDF'
                'PDFelement' => 'app to create, edit, convert, and manage PDF files'
                'PDF Password Remover' => 'app for removing PDF password protection'
                'Photo Recovery' => 'apps for recovering photos, vidoes, and audio files from storage'
                'Player' => 'media player'
                'PowerSuite 2012' => 'app for "optimizing" Windows peroformance'
                'PPT2DVD Pro' => 'app for converting and bruning powerpoint slides to video'
                'PPT2Video Pro' => 'app for converting powepoint slides to video'
                'QuizCreator' => 'app for building quizes or surveys'
                'SafeEraser' => 'app for safely erasing data'
                'Streaming Audio Recorder' => 'app for real-time audio recording'
                'TidyMyMusic' => 'app for managing local music'
                'TunesGo Retro' => 'app to copy music, video, playlists from iOS devices to iTunes Library and PC'
                'TunesGo Win' => 'iTunes alternative'
                'Video Converter Ultimate' => 'app for converting, editing and burning videos'
                'WinSuite 2012' => 'app for "repairing" Windows'
};
notes: 1. The detector has been generalized as possible to match against all apps since they all seem to share traffic characteristics. However, further generalization can be achieved.
       2. Comments have been added to facilitate more granular per-app/action detectors if necessary.
        3. 3 out of the 32 apps did not exhibit network connections: 'MePub', 'PPT2DVD', and 'PPT2Video'.
--]]

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
name = "wondershare_ap",
proto = proto,
server = {
init = 'DetectorInit',
clean = 'DetectorClean',
minimum_matches = 1
}
}

function DetectorInit(detectorInstance)

gDetector = detectorInstance;
gAppId = gDetector:open_createApp("wondershare_ap");

if gDetector.addAppUrl then

--[[ Download and Platform sub-domains are observed mostly during installation wizard ]]--

--[[
                        The below URI is used by the following apps: 'Data Recovery', 'DreamStream', 'Dr.Fone for iOS', 'Dr.Fone for Android',
'DVD Slideshow Builder Deluxe', 'Fantashow', 'Filmora', 'Free YouTube Downloader', 'MirrorGo', 'MobileGo', 'MobileTrans',
'PDFelement', 'PDF Password Remover', 'Photo Recovery', 'PowerSuite 2012', 'SafeEraser', 'Streaming Audio Recorder',
'TunesGo Retro', 'TunesGo Win', 'Video Converter Ultimate'
                ]]--
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "download.wondershare.com", "/cbs_down/", "http:", "", gAppId);

-- The below URI is used by the following apps: 'MobileGo''
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "download.wondershare.com", "/com.wondershare.waf/", "http:", "", gAppId);

-- The below URI is used by the following apps: 'MobileGo'
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "download.wondershare.com", "/com.wondershare.mobilego/", "http:", "", gAppId);

--[[
The below URI is used by the following apps: 'Data Recovery', 'DreamStream', 'Dr.Fone for iOS',
'Dr.Fone for Android', 'DVD Slideshow Builder Deluxe', 'DVD Creator', 'Fantashow', 'Filmora',
'Free YouTube Downloader', 'MirrorGo', 'MobileGo', 'MobileTrans', 'PDFelement', 'SafeEraser', 'Streaming Audio Recorder',
'TunesGo Retro', 'TunesGo Win', 'Video Converter Ultimate'
]]--
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "platform.wondershare.com", "/player/", "http:", "", gAppId);

--[[
The below URI is used by the following apps: 'Data Recovery', 'DreamStream', 'Dr.Fone for iOS',
                        'Dr.Fone for Android', 'DVD Slideshow Builder Deluxe', 'DVD Creator', 'Fantashow', 'Filmora',
                        'Free YouTube Downloader', 'MobileTrans', 'PDFelement', 'SafeEraser', 'Streaming Audio Recorder',
'TidyMyMusic', 'TunesGo Retro', 'Video Converter Ultimate'
Action-specific URIs:
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "platform.wondershare.com", "/interface.php?m=co", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "platform.wondershare.com", "/interface.php?m=init", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "platform.wondershare.com", "/interface.php?m=suit", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "platform.wondershare.com", "/interface.php?m=coupload", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "platform.wondershare.com", "/interface.php?m=download", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "platform.wondershare.com", "/interface.php?m=downloader", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "platform.wondershare.com", "/interface.php?m=uploadstatus", "http:", "", gAppId);
]]--
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "platform.wondershare.com", "/interface.php?m=", "http:", "", gAppId);

--[[
                        The below URI is used by the following apps: 'Data Recovery', 'DreamStream', 'Dr.Fone for iOS',
                        'DVD Slideshow Builder Deluxe', 'Free YouTube Downloader', 'PDFelement', 'Streaming Audio Recorder',
                        'TidyMyMusic', 'TunesGo Retro'
]]--
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "platform.wondershare.com", "/time.php", "http:", "", gAppId);

--[[ cbs sub-domain is observed mostly during update checks ]]--

--[[
                        The below URI is used by the following apps: '1-Click PC Care', 'Data Recovery', 'DreamStream', 'DemoCreator',
'Dr.Fone for iOS', 'Dr.Fone for Android', 'DVD Slideshow Builder Deluxe', 'DVD Creator', 'Fantashow', 'Filmora',
                        'Flash Galary Factory Deluxe', 'Free YouTube Downloader', 'MirrorGo', 'MobileGo', 'MobileTrans', 'PDF Converter Pro',
'PDFelement', 'PDF Password Remover', 'Photo Recovery', 'PowerSuite 2012', 'Quiz Creator', 'SafeEraser',
'Streaming Audio Recorder', 'TidyMyMusic', 'TunesGo Retro', 'TunesGo Win', 'Video Converter Ultimate'

            Action-specific URIs:
            gDetector:addAppUrl(0, 0, 0, gAppId, 0, "cbs.wondershare.com", "/go.php?m=upgrade_info", "http:", "", gAppId);
            gDetector:addAppUrl(0, 0, 0, gAppId, 0, "cbs.wondershare.com", "/go.php?pid=", "http:", "", gAppId);
            gDetector:addAppUrl(0, 0, 0, gAppId, 0, "cbs.wondershare.com", "/go.php?track=download_start", "http:", "", gAppId);
            gDetector:addAppUrl(0, 0, 0, gAppId, 0, "cbs.wondershare.com", "/go.php?track=visit", "http:", "", gAppId);
        ]]--
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "cbs.wondershare.com", "/go.php", "http:", "", gAppId);

--[[
The below URI is used by the following apps: 'Data Recovery', 'DreamStream', 'Dr.Fone for iOS', 'Dr.Fone for Android',
'DVD Slideshow Builder Deluxe', 'MirrorGo', 'MobileGo', 'MobileTrans', 'PDFelement', 'SafeEraser',
'Streaming Audio Recorder', 'TidyMyMusic', 'TunesGo Retro', 'TunesGo Win'

Action-specific:
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "us.wondershare.com", "/interface.php?m=download", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "us.wondershare.com", "/interface.php/?m=upload", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "us.wondershare.com", "/interface.php?m=upload", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "us.wondershare.com", "/interface.php?api_version=", "http:", "", gAppId);
]]--
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "us.wondershare.com", "/interface.php", "http:", "", gAppId);

-- The below URI is used by the following apps: 'Fantashow', 'Player'
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "fantashow.wondershare.com", "/style/", "http:", "", gAppId);

-- The below URI is used by the following apps: 'MobileGo', 'Safe Eraser'
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "myphone-download.wondershare.cc", "/SEDataBase/", "http:", "", gAppId);

-- The below URI is used by the following apps: 'MirrorGo'
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "ori-myphone-download.wondershare.cc", "/MirrorTrialDuration.php", "http:", "", gAppId);

-- The below URIs is used by the following apps: 'MobileGo'
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "ori-myphone-download.wondershare.cc", "/GetVersion.php", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "mobilego.wondershare.com", "/", "http:", "", gAppId);

-- The below URI is used by the following apps: 'Fantashow'
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "api.fantashow.wondershare.com", "/message/receive/", "http:", "", gAppId);

-- The below URI is used by the following apps: 'Fantashow', 'Filmora'
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "api.wondershare.com", "/interface.php?", "http:", "", gAppId);

-- The below URI is used by the followng apps: 'MirrorGo', 'MobileGo', 'PDFelement', 'TunesGo Win'
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "was.wondershare.com", "/v", "http:", "", gAppId);

-- The below URI is used by the followng apps: 'MirrorGo', 'MobileGo', 'TunesGo Win'
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "was-stats.wondershare.com", "/stats/?appid=", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "statics.was.wondershare.com", "/applogo/", "http:", "", gAppId);

-- The below URIs are used by the followng apps: 'Dr.Fone for iOS', 'DVDCreator', 'Filmora'
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "pop.wondershare.com", "/license.html", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "pop.wondershare.com", "/filmora/", "http:", "", gAppId);

-- The below URI is used by the followng apps: 'Filmora'
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "filmora.wondershare.com", "/", "http:", "", gAppId);

-- The below URI is used by the followng apps: 'Player'
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "player.wondershare.com", "/init.html?", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "player.wondershare.com", "/Clientsign-in.html?", "http:", "", gAppId);
end
if gDetector.addHttpPattern then
--[[
The below User-Agent is used by the following apps: '1-Click PC Care', 'Data Recovery', 'DreamStream',
'DemoCreator', 'Dr.Fone for iOS', 'Dr.Fone for Android', 'DVD Slideshow Builder Deluxe', 'Fantashow',
'Player', 'MirrorGo', 'MobileTrans', 'PDF Converter Pro', 'PDFelement', 'PDF Password Remover', 'Photo Recovery',
'QuizCreator', 'SafeEraser', 'Streaming Audio Recorder', 'TidyMyMusic', 'TunesGo Retro', 'TunesGo Win',
'Video Converter Ultimate'
]]--
gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Mozilla/4.0 (compatible; MSIE 6.00)", gAppId);
-- The below USer-Agent is used by the following apps: 'Fantashow', 'Player', 'Filmora'
gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "fantashow", gAppId);

-- The below User-Agent is used by the following apps: 'Streaming Audio Recorder'
gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "GCSL GCSP", gAppId);

-- The below User-Agent is used by the following apps: '1-Click PC Care'
gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Fidder", gAppId);

-- The below User-Agent is used by the following apps: 'DreamStream'
gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Windows-Media-Player-DMS", gAppId);
end

return gDetector;
end

function DetectorClean()
end


Thank you.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151103/66aea92d/attachment.html>


More information about the Snort-openappid mailing list