[Snort-sigs] Namihno Trojan

Paul Bottomley Paul.Bottomley at ...3813...
Mon May 20 10:17:27 EDT 2013


Sorry don't have a reference for this (Intel was received through our TI provider).

"The following URI is hard-coded into the sample and used to construct the HTTP C2 request:
/windows/update/search?hl=%s&q=%s&meta=%s&id=%s
URI parameters within the HTTP request contain the Base64-encoded hostname and IP address of the victim's computer."

I've assumed all occurrences of %s are Base64 but I can't get the rule to fire when a '+' occurs within the character class (using \x2b)- not sure why? I've also probably escaped some characters that don't need escaping.

Anyway, here is the rule I've created. Feel free to modify if you like.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[C2] Namihno Trojan CnC Request"; flow:established,to_server; content:"/windows/update/search?hl="; fast_pattern:only; http_uri; pcre:"/\/windows\/update\/search\?hl\=[a-z0-9\x2b\x2f\x3d]+\&q\=[a-z0-9\x2b\x2f\x3d]+\&meta\=[a-z0-9\x2b\x2f\x3d]+\&id\=[a-z0-9\x2b\x2f\x3d]+$/Ui"; classtype:trojan-activity; sid:xxxxx; rev:1;)

Thanks

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130520/9607c6c5/attachment.html>


More information about the Snort-sigs mailing list