[Snort-sigs] Zbot variant sigs

Y M snort at ...3751...
Thu Oct 10 15:16:50 EDT 2013


adding pcaps.

From: snort at ...3751...
To: snort-sigs at lists.sourceforge.net
Date: Thu, 10 Oct 2013 08:43:56 +0000
Subject: Re: [Snort-sigs] Zbot variant sigs




An update to the first rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Zbot variant malware potential download from phishing attack"; content:"/image/swift_copy.zip"; fast_pattern:only; http_uri; file_data; content:"swift_copy.exe"; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/27e6f24e8ddfd5137a08c527c0e9b8b47d81303cbaa4e4fee4586699a31640f4/analysis/1381340916/; classtype:trojan-activity; sid:100060; rev:1;)
From: snort at ...3751...
To: snort-sigs at lists.sourceforge.net
Subject: Zbot variant sigs
Date: Wed, 9 Oct 2013 18:53:35 +0000




Received this one as a phishing email with an .html attachment. It downloads a zip/executable file as soon as it is opened. Results on VT are mixed between Zbot, Autoit and Generic. pcaps attached.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Zbot variant malware potential download from phishing"; content:"/image/swift_copy.zip"; fast_pattern:only; http_uri; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/27e6f24e8ddfd5137a08c527c0e9b8b47d81303cbaa4e4fee4586699a31640f4/analysis/1381340916/; classtype:trojan-activity; sid:100060; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt - config.bin"; content:"/images/server/config.bin"; fast_pattern:only; http_uri; content:"Accept|3A| |2A|/|2A 0D 0A|"; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/02a565134bb46d1644d24f978df7a98ba2b99aa63a22d5287bab71486e307dac/analysis/1381340939/; classtype:trojan-activity; sid:100061; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt - post"; content:"POST"; http_method; content:"/images/server/gate.php"; http_uri; fast_pattern:only; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/02a565134bb46d1644d24f978df7a98ba2b99aa63a22d5287bab71486e307dac/analysis/1381340939/; classtype:trojan-activity; sid:100062; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain kitkatzuniga.com - Win.Trojan.Zbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|kitkatzuniga|03|com|00|"; fast_pattern:only; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/en/file/02a565134bb46d1644d24f978df7a98ba2b99aa63a22d5287bab71486e307dac/analysis/1381340939/; classtype:trojan-activity; sid:100063; rev:1;) 
Thanks.YM 		 	   		   		 	   		  

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131010/8309d658/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zbot_dns.pcap
Type: application/octet-stream
Size: 224 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131010/8309d658/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zbot_http_download.pcap
Type: application/octet-stream
Size: 554254 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131010/8309d658/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zbot_http_cnc_c.pcap
Type: application/octet-stream
Size: 181804 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131010/8309d658/attachment-0002.obj>


More information about the Snort-sigs mailing list