[Snort-sigs] Win32/64 Napolar sig

Nick Randolph drandolph at ...435...
Wed Sep 25 16:21:53 EDT 2013


I would bet that the USER_NAME and COMP_NAME are variable depending on the
victim. Avast might have removed them to hide some internal data. They did
include some hashes so I'll run those through our sandbox and let you know
what I see.


On Wed, Sep 25, 2013 at 3:30 PM, James Lay <jlay at ...3266...> wrote:

> First attempt...hope it doesn't stink :)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> W32/64.Napolar initial POST"; flow:to_server, established; file_data;
> content:"|26|u=USER_NAME|26|c=COMP_NAME|26|s="; fast_pattern:only;
> metadata:policy balanced-ips drop, policy security-ips drop, service
> http, ruleset community;
> reference:url,
> blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/
> ;
> classtype:trojan-activity; sid:10000099; rev:1;)
>
> James
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph at ...435...
Sourcefire.com <http://www.sourcefire.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130925/0f0186ba/attachment.html>


More information about the Snort-sigs mailing list