[Snort-sigs] Zbot variant sigs

Y M snort at ...3751...
Thu Oct 10 04:43:56 EDT 2013


An update to the first rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Zbot variant malware potential download from phishing attack"; content:"/image/swift_copy.zip"; fast_pattern:only; http_uri; file_data; content:"swift_copy.exe"; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/27e6f24e8ddfd5137a08c527c0e9b8b47d81303cbaa4e4fee4586699a31640f4/analysis/1381340916/; classtype:trojan-activity; sid:100060; rev:1;)
From: snort at ...3751...
To: snort-sigs at lists.sourceforge.net
Subject: Zbot variant sigs
Date: Wed, 9 Oct 2013 18:53:35 +0000




Received this one as a phishing email with an .html attachment. It downloads a zip/executable file as soon as it is opened. Results on VT are mixed between Zbot, Autoit and Generic. pcaps attached.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Zbot variant malware potential download from phishing"; content:"/image/swift_copy.zip"; fast_pattern:only; http_uri; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/27e6f24e8ddfd5137a08c527c0e9b8b47d81303cbaa4e4fee4586699a31640f4/analysis/1381340916/; classtype:trojan-activity; sid:100060; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt - config.bin"; content:"/images/server/config.bin"; fast_pattern:only; http_uri; content:"Accept|3A| |2A|/|2A 0D 0A|"; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/02a565134bb46d1644d24f978df7a98ba2b99aa63a22d5287bab71486e307dac/analysis/1381340939/; classtype:trojan-activity; sid:100061; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt - post"; content:"POST"; http_method; content:"/images/server/gate.php"; http_uri; fast_pattern:only; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/02a565134bb46d1644d24f978df7a98ba2b99aa63a22d5287bab71486e307dac/analysis/1381340939/; classtype:trojan-activity; sid:100062; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain kitkatzuniga.com - Win.Trojan.Zbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|kitkatzuniga|03|com|00|"; fast_pattern:only; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/en/file/02a565134bb46d1644d24f978df7a98ba2b99aa63a22d5287bab71486e307dac/analysis/1381340939/; classtype:trojan-activity; sid:100063; rev:1;) 
Thanks.YM 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131010/e888f34e/attachment.html>


More information about the Snort-sigs mailing list