[Snort-sigs] Possible trojan rule

larosa, vjay larosa_vjay at ...375...
Thu Jun 3 10:21:06 EDT 2004


If http_inspect it is turned on do you have the option inspect_uri_only
turned on? If you do, your rule will not fire because of the word GET in the
pattern match. That is not part of the URI (hence the inspect_uri_only
keyword). If you change it to the following, it should work for you. But I
would turn off the inspect_uri_only option. It messes me up all the time.

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Virtumonde Spyware 
siae323.exe GET"; uricontent:"/siae3123.exe"; nocase; classtype: 
policy-violation; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; 
sid:2000306; rev:5;)

alert tcp $HOME_NET any -> any 8081 (msg:"BLEEDING-EDGE Virtumonde 
Spyware siae323.exe GET"; uricontent:"/siae3123.exe"; nocase; 
classtype: policy-violation; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; 
sid:2000307; rev:2;)

vjl

-----Original Message-----
From: larosa, vjay 
Sent: Thursday, June 03, 2004 1:14 PM
To: 'Matthew Jonkman'
Cc: snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] Possible trojan rule

Do you have the http_inspect preprocessor turned on in your snort.conf? 

vjl

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Matthew Jonkman
Sent: Thursday, June 03, 2004 10:59 AM
Cc: snort-sigs mailinglist
Subject: Re: [Snort-sigs] Possible trojan rule

Identified it positively as Virtumonde spyware.

Info available here:
http://sarc.com/avcenter/venc/data/adware.virtumonde.html

Most recent version available here: http://snort.infotex.com

For the life of me I couldn't get it to hit with uricontent. Took a few 
suggestions and even narrowed down the content to siae3123.exe only and 
still nothing. Drop it back to content and it hits every time. If anyone 
can help me understand why I'd appreciate it.

It uses 2 ports so I've added a second rule and adjusted the name.

Working versions:
--------------------
alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Virtumonde Spyware 
siae323.exe GET"; content:"GET /siae3123.exe"; nocase; classtype: 
policy-violation; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; 
sid:2000306; rev:4;)
alert tcp $HOME_NET any -> any 8081 (msg:"BLEEDING-EDGE Virtumonde 
Spyware siae323.exe GET"; content:"GET /siae3123.exe"; nocase; 
classtype: policy-violation; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; 
sid:2000307; rev:1;)
---------------------

Non-working uricontent versions:
----------------------
alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Virtumonde Spyware 
siae323.exe GET"; uricontent:"siae3123.exe"; nocase; classtype: 
policy-violation; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; 
sid:2000306; rev:4;)
alert tcp $HOME_NET any -> any 8081 (msg:"BLEEDING-EDGE Virtumonde 
Spyware siae323.exe GET"; uricontent:"siae3123.exe"; nocase; classtype: 
policy-violation; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; 
sid:2000307; rev:1;)



Hugo van der Kooij wrote:

> On Wed, 2 Jun 2004, Matthew Jonkman wrote:
> 
> 
>>We're finding a number of client machines infected with something. Not
>>sure what it is. The symptom is it downloads
>>
>>http://209.123.150.15/siae3123.exe
> 
> 
> 3 different virus scanners could not find any harm in them. Functions
> called inside:
> 
> 	ExitProcess
> 	Sleep
> 
> Filename referenced:
> 
> 	c:\Projects\Empty\Empty\Release\Empty.pdb
> 
> Various internet pages seem to indicate this as spyware.
> 
> Hugo.
> 

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.


More information about the Snort-sigs mailing list