[Snort-sigs] Namihno Trojan

Joel Esler jesler at ...435...
Mon May 20 11:28:19 EDT 2013


No, thank you for contributing!

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On May 20, 2013, at 11:05 AM, Paul Bottomley <Paul.Bottomley at ...3813...> wrote:

> Nicely optimised, thanks Joel!
>  
>  
> From: Joel Esler [mailto:jesler at ...435...] 
> Sent: 20 May 2013 16:01
> To: Paul Bottomley
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Namihno Trojan
>  
> Paul,
>  
> Thanks.  I committed it like this:
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Namihno Trojan CnC Request"; flow:to_server,established; content:"/windows/update/search?hl="; http_uri; content:"&q="; distance:0; http_uri; content:"&meta="; distance:0; http_uri; content:"&id="; distance:0; http_uri; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26695; rev:2;)
>  
> Since there really isn't a need for the pcre, I just used the content matches and made them relative to each other.   This should work much faster.
>  
> Thanks!
>  
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>  
>  
> On May 20, 2013, at 10:17 AM, Paul Bottomley <Paul.Bottomley at ...3813...> wrote:
> 
> 
> Sorry don't have a reference for this (Intel was received through our TI provider).
>  
> "The following URI is hard-coded into the sample and used to construct the HTTP C2 request:
> /windows/update/search?hl=%s&q=%s&meta=%s&id=%s
> URI parameters within the HTTP request contain the Base64-encoded hostname and IP address of the victim's computer."
>  
> I've assumed all occurrences of %s are Base64 but I can't get the rule to fire when a '+' occurs within the character class (using \x2b)- not sure why? I’ve also probably escaped some characters that don’t need escaping.
>  
> Anyway, here is the rule I've created. Feel free to modify if you like.
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[C2] Namihno Trojan CnC Request"; flow:established,to_server; content:"/windows/update/search?hl="; fast_pattern:only; http_uri; pcre:"/\/windows\/update\/search\?hl\=[a-z0-9\x2b\x2f\x3d]+\&q\=[a-z0-9\x2b\x2f\x3d]+\&meta\=[a-z0-9\x2b\x2f\x3d]+\&id\=[a-z0-9\x2b\x2f\x3d]+$/Ui"; classtype:trojan-activity; sid:xxxxx; rev:1;)
>  
> Thanks
> 
> ________________________________________________________________________
> In order to protect our email recipients, Betfair Group use SkyScan from 
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
> 
> ________________________________________________________________________
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
>  
> 
> ________________________________________________________________________
> In order to protect our email recipients, Betfair Group use SkyScan from 
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
> 
> ________________________________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130520/f96787ba/attachment.html>


More information about the Snort-sigs mailing list