[Snort-sigs] Neutrino EK initial landing on a DGA host

Joel Esler jesler at ...435...
Tue Jun 4 18:28:39 EDT 2013


Nathan,

Do you happen to have a pcap of this?  I think we already catch this, and if so, we'll open the rules, but I wanted to check if you have the data.

J

On Jun 4, 2013, at 3:44 PM, Community Proposed <lists at ...3397...> wrote:

> We picked up a hostile Neutrino EK initial landing on a DGA host, it's 24-byte
> a-f leading child domain.  pDNS shows that the IPs in question have multiple
> DGAs pointed to it -- feel free to validate.  I don't see payload but I'm not
> 100% with Neutrino like the other EKs.
> 
>    IP - 37.59.151.254
>    IP - 178.238.230.173
>    IP - 178.32.176.219
> 
> RegEx for match (WebWasher/WebGateway format):
> 
>     regex((?-i)http:\/\/[a-f0-9]{24}\.[^\.]+\.[a-z]{2,4}[\x2f\x3a][^\r\n]+$   
> Nathan Fowler, Jun 04 2013, Neutrino Exploit Kit initial landing 24-byte DGA.
> 
> Snort Sig, might be crappy, double check me on distance/within.
> 
> 	alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
> Neutrino EK DGA requested over HTTP"; flow:established,to_server;
> content:"Host|3a 20|"; http_header; 
> content:"."; http_header; distance:24; within:1;
> pcre:"/Host\x3a\x20[a-f0-9]{24}\.[^\.]+\.[a-z]{2,4}[\x3a\r\n]/H";
> classtype:trojan-activity; sid:x; rev:1;)
> 
> Validation:
> select distinct date_time, http_status, block_reason, user_name, url from
> webwasher_full where day>='2013-05-01' and url rlike
> 'http:\\/\\/[a-f0-9]{24}\\.[^\\.]+\\.[a-z]{2,4}[\\x2f\\x3a][^\\r\\n]+$' and
> http_status <> '407'
> [03/Jun/2013:12:21:30 -0600]    403    Malware found   
> hxxp://73c96a6e5669cd1c04d935f8.homeftp.net:8000/abdmkligulifci?hash=f47467dbe2117272f25d0fd98b61ba5a&qlwrywrlrlev=358488
> [03/Jun/2013:14:12:49 -0600]    403    Malware found   
> hxxp://3a0be0574268a3bf2d7f1f35.homeftp.net:8000/axjop?hash=f47467dbe2117272f25d0fd98b61ba5a&qwkqusrhbm=358488
> [03/Jun/2013:15:21:58 -0600]    403    Malware found   
> hxxp://774f4fbced510393034e7fbc.homeftp.net:8000/arjmwhtocqhn?qksetrpgspud=5432189
> [04/Jun/2013:10:32:49 -0600]    403    Malware found   
> hxxp://88f3a91bf73b8534563ac260.homeftp.org:8000/atrvcb?hash=f47467dbe2117272f25d0fd98b61ba5a&qgdijbgx=358488
> [31/May/2013:13:23:47 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/arhxxx?qlwgvb=403906
> [31/May/2013:13:23:51 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/zbzs.js
> [31/May/2013:13:23:51 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/atvxwt.css
> [31/May/2013:13:23:51 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/qiqisdikou.css
> [31/May/2013:13:23:51 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/markldprj.css
> [31/May/2013:13:23:51 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/rxmdvvpn.js
> [31/May/2013:13:23:52 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/vbiuchm.js
> [31/May/2013:13:23:52 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/pyafhqozux.css
> [31/May/2013:13:23:52 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/qkuybslfn.js
> [31/May/2013:13:23:52 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/jtylljqzqlazgcht.js
> [31/May/2013:13:23:52 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/mrdefsdfykv.js
> [31/May/2013:13:23:52 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/bxobfcftotdnsd.js
> [31/May/2013:13:23:52 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/oysnnyor.css
> [31/May/2013:13:23:52 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/mciylzxclybrbil.js
> [31/May/2013:13:23:52 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/zogaeoag.css
> [31/May/2013:13:23:52 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/scripts/js/plg.js
> [31/May/2013:13:23:53 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/aophawfn.jpg
> [31/May/2013:13:23:53 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/wphqdnxibfa.gif
> [31/May/2013:13:23:53 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/rvpdvnfglhyn.jpg
> [31/May/2013:13:23:53 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/rzxvokmg.gif
> [31/May/2013:13:23:53 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/kikmomrhbllpep.js
> [31/May/2013:13:23:53 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/jbstoggf.jpg
> [31/May/2013:13:23:53 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/uduzindnmojz.js
> [31/May/2013:13:23:53 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/lxjmrf.css
> [31/May/2013:13:23:54 -0600]    200    -   
> hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/bzynxtkzmop
> [30/May/2013:13:15:58 -0600]    403    Category Blocklist   
> hxxp://1debaac13828d44b089f1928.here-for-more.info:8000/alpwptfr?qwhglf=403906
> [29/May/2013:12:46:42 -0600]    200    -   
> hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/akrlprngl?qxyyejxbjlb=403906
> [29/May/2013:12:46:43 -0600]    200    -   
> hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/gjdk.css
> [29/May/2013:12:46:43 -0600]    200    -   
> hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/ihvqulnxk.js
> [29/May/2013:12:46:43 -0600]    200    -   
> hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/szfnpiopydjzoi.css
> [29/May/2013:12:46:43 -0600]    200    -   
> hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/wwmlbfxah.css
> 
> 
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list