[Snort-sigs] Win32/64 Napolar sig

James Lay jlay at ...3266...
Wed Sep 25 17:32:37 EDT 2013


On 2013-09-25 15:24, James Lay wrote:
> On 2013-09-25 14:21, Nick Randolph wrote:
>> I would bet that the USER_NAME and COMP_NAME are variable depending
>> on
>> the victim. Avast might have removed them to hide some internal 
>> data.
>> They did include some hashes so Ill run those through our sandbox 
>> and
>> let you know what I see.
>>
>> On Wed, Sep 25, 2013 at 3:30 PM, James Lay <jlay at ...3266...
>> [7]> wrote:
>>
>>> First attempt...hope it doesnt stink :)
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>> (msg:"MALWARE-CNC
>>> W32/64.Napolar initial POST"; flow:to_server, established;
>>> file_data;
>>> content:"|26|u=USER_NAME|26|c=COMP_NAME|26|s="; fast_pattern:only;
>>> metadata:policy balanced-ips drop, policy security-ips drop,
>>> service
>>> http, ruleset community;
>>>
>>
>> 
>> reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/
>>> [1];
>>> classtype:trojan-activity; sid:10000099; rev:1;)
>>>
>>> James
>
> Yep...variables:
>
> 
> http://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/
>
> Darn.
>
> James

Meh:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
W32/64.Napolar initial POST"; flow:to_server, established; file_data; 
content:"POST"; http_method; content:"v="; content:"|26|u="; 
content:"|26|c="; content:"|26|s="; metadata:policy balanced-ips drop, 
policy security-ips drop, service http, ruleset community; 
reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; 
classtype:trojan-activity; sid:10000099; rev:2;)

This is probably cheesy....bet the proper way would be to lookup max 
username and machine name and allowed characters for winders and PCRE it 
up...but to be real honest I'm just not in the mood for pcre today ;)

James




More information about the Snort-sigs mailing list