[Snort-sigs] Win32/64 Napolar sig

James Lay jlay at ...3266...
Wed Sep 25 17:24:13 EDT 2013


On 2013-09-25 14:21, Nick Randolph wrote:
> I would bet that the USER_NAME and COMP_NAME are variable depending 
> on
> the victim. Avast might have removed them to hide some internal data.
> They did include some hashes so Ill run those through our sandbox and
> let you know what I see.
>
> On Wed, Sep 25, 2013 at 3:30 PM, James Lay <jlay at ...3266...
> [7]> wrote:
>
>> First attempt...hope it doesnt stink :)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"MALWARE-CNC
>> W32/64.Napolar initial POST"; flow:to_server, established;
>> file_data;
>> content:"|26|u=USER_NAME|26|c=COMP_NAME|26|s="; fast_pattern:only;
>> metadata:policy balanced-ips drop, policy security-ips drop,
>> service
>> http, ruleset community;
>>
> 
> reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/
>> [1];
>> classtype:trojan-activity; sid:10000099; rev:1;)
>>
>> James

Yep...variables:

http://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/

Darn.

James




More information about the Snort-sigs mailing list