[Snort-sigs] Namihno Trojan

Joel Esler jesler at ...435...
Mon May 20 11:01:02 EDT 2013


Thanks.  I committed it like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Namihno Trojan CnC Request"; flow:to_server,established; content:"/windows/update/search?hl="; http_uri; content:"&q="; distance:0; http_uri; content:"&meta="; distance:0; http_uri; content:"&id="; distance:0; http_uri; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26695; rev:2;)

Since there really isn't a need for the pcre, I just used the content matches and made them relative to each other.   This should work much faster.


Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

On May 20, 2013, at 10:17 AM, Paul Bottomley <Paul.Bottomley at ...3813...> wrote:

> Sorry don't have a reference for this (Intel was received through our TI provider).
> "The following URI is hard-coded into the sample and used to construct the HTTP C2 request:
> /windows/update/search?hl=%s&q=%s&meta=%s&id=%s
> URI parameters within the HTTP request contain the Base64-encoded hostname and IP address of the victim's computer."
> I've assumed all occurrences of %s are Base64 but I can't get the rule to fire when a '+' occurs within the character class (using \x2b)- not sure why? I’ve also probably escaped some characters that don’t need escaping.
> Anyway, here is the rule I've created. Feel free to modify if you like.
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[C2] Namihno Trojan CnC Request"; flow:established,to_server; content:"/windows/update/search?hl="; fast_pattern:only; http_uri; pcre:"/\/windows\/update\/search\?hl\=[a-z0-9\x2b\x2f\x3d]+\&q\=[a-z0-9\x2b\x2f\x3d]+\&meta\=[a-z0-9\x2b\x2f\x3d]+\&id\=[a-z0-9\x2b\x2f\x3d]+$/Ui"; classtype:trojan-activity; sid:xxxxx; rev:1;)
> Thanks
> ________________________________________________________________________
> In order to protect our email recipients, Betfair Group use SkyScan from 
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
> ________________________________________________________________________
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130520/d052e955/attachment.html>

More information about the Snort-sigs mailing list