[Snort-sigs] Asprox sig

Nick Randolph drandolph at ...435...
Thu Jul 11 16:03:09 EDT 2013


The initial dropper is picked up with sid:20221 but I noticed something
interesting when I looked at our samples.

It's not obvious in the write up from M86 but the separation between the
user-agent header and the host header doesn't have the typical \x0d\x0a it
only has \x0a and since that isn't a valid agent for Opera it's being added
as a fast_pattern:only;
Update looks like this

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Trojan.Injector outbound connection"; flow:to_server,established;
content:"User-Agent|3A| Opera|5C|9.64|0A|"; fast_pattern:only; http_header;
content:"bb.php?v="; http_uri; content:"id="; distance:0; http_uri;
content:"b="; distance:0; http_uri; content:"tm="; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; reference:url,
www.virustotal.com/file-scan/report.html?id=2afb098dfea7d2acd73da520fe26d09acee1449c79d2c8753f3008a2a8f648b2-1303397086;
classtype:trojan-activity; sid:20221; rev:4;)



On Tue, Jul 9, 2013 at 8:48 PM, Joel Esler <jesler at ...435...> wrote:

> Thanks James.
>
> Sent from my iPhone
>
> > On Jul 9, 2013, at 8:29 PM, James Lay <jlay at ...3266...> wrote:
> >
> >
> >> On Jul 9, 2013, at 2:33 PM, James Lay <jlay at ...3266...> wrote:
> >>
> >>> On 2013-07-09 14:23, lists at ...3397... wrote:
> >>>> On 07/09/2013 03:15 PM, James Lay wrote:
> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> >>>> (msg:"msg:"MALWARE-CNC Asprox outbound connection";
> >>>> flow:to_server,established; content:"?v="; http_uri; content:"&id=";
> >>>> http_uri; within:6; content:"&b="; http_uri; content:"&tm=";
> >>>> http_uri;
> >>>> within:7; metadata:impact_flag red, policy balanced-ips drop, policy
> >>>> security-ips drop, service http;
> >>>>
> >>>> reference:url,
> http://labs.m86security.com/2010/06/the-asprox-spambot-resurrects/;
> >>>> classtype:trojan-activity; sid:10000085; rev:1;)
> >>>
> >>> I recommend we had some negations to avoid some falses, for example,
> >>> the lack of
> >>> proper headers is pretty bogus.  Header ordering is pretty important
> >>> too, so I'd
> >>> probably do this:
> >>>
> >>> content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|"; fast_pattern:only;
> >>> content!:"Accept"; http_header; {the rest of your content matches for
> >>> HTTP URI}
> >>>
> >>> Good stuff James, as always.
> >>>
> >>> Cheers,
> >>> Nathan
> >>
> >> Thanks Nathan,
> >>
> >> Here's the mod:
> >
> > Slight change:
> >
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"msg:"MALWARE-CNC Asprox outbound connection";
> flow:to_server,established; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|";
> fast_pattern:only; content:!"Accept"; http_header; content:"?v="; http_uri;
> content:"&id="; http_uri; within:6; content:"&b="; http_uri;
> content:"&tm="; http_uri; within:7; metadata:impact_flag red, policy
> balanced-ips drop, policy security-ips drop, service http; reference:url,
> http://labs.m86security.com/2010/06/the-asprox-spambot-resurrects/;
> classtype:trojan-activity; sid:10000085; rev:3;)
> >
> > Thanks all.
> >
> > James
> >>
> >> Running this now in production.
> >>
> >> James
> >>
> >>
> ------------------------------------------------------------------------------
> >> See everything from the browser to the database with AppDynamics
> >> Get end-to-end visibility with application monitoring from AppDynamics
> >> Isolate bottlenecks and diagnose root cause in seconds.
> >> Start your free trial of AppDynamics Pro today!
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> Snort-sigs mailing list
> >> Snort-sigs at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >> http://www.snort.org
> >>
> >>
> >> Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >
> ------------------------------------------------------------------------------
> > See everything from the browser to the database with AppDynamics
> > Get end-to-end visibility with application monitoring from AppDynamics
> > Isolate bottlenecks and diagnose root cause in seconds.
> > Start your free trial of AppDynamics Pro today!
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph at ...435...
Sourcefire.com <http://www.sourcefire.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130711/7db5118b/attachment.html>


More information about the Snort-sigs mailing list