[Snort-sigs] Win32/64 Napolar sig

Nick Randolph drandolph at ...435...
Mon Sep 30 11:17:28 EDT 2013


This is what we ended up with
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Napolar outbound connection attempt"; flow:to_server,
established; content:"POST"; http_method; content:"v="; http_client_body;
content:"|26|u="; within:3; distance:3; http_client_body; content:"|26|c=";
distance:0; http_client_body; content:"|26|s={"; distance:0;
http_client_body; content:"}|26|w="; within:4; distance:36;
http_client_body; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http; reference:url,
www.virustotal.com/en/file/463d39dcbf19b5c4c9e314e5ce77bf8a51848b8c7d64e4f0a6656b9d28941e2e/analysis/;
classtype:trojan-activity; sid:28079; rev:1;)

Another contributor submitted this as well

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Napolar trojan data theft"; flow:to_server,established;
content:".exe&h="; fast_pattern:only; http_client_body; content:"p=";
depth:2; http_client_body; metadata:impact_flag red, policy security-ips
drop, ruleset community, service http; reference:url,
www.virustotal.com/en/file/12781be5908ecc3dbf4a459e4cbc7bedb654b50236f7a961e85f3af5e2275ddf/analysis/;
classtype:trojan-activity; sid:28080; rev:1;)


On Wed, Sep 25, 2013 at 5:32 PM, James Lay <jlay at ...3266...> wrote:

> On 2013-09-25 15:24, James Lay wrote:
> > On 2013-09-25 14:21, Nick Randolph wrote:
> >> I would bet that the USER_NAME and COMP_NAME are variable depending
> >> on
> >> the victim. Avast might have removed them to hide some internal
> >> data.
> >> They did include some hashes so Ill run those through our sandbox
> >> and
> >> let you know what I see.
> >>
> >> On Wed, Sep 25, 2013 at 3:30 PM, James Lay <jlay at ...3266...
> >> [7]> wrote:
> >>
> >>> First attempt...hope it doesnt stink :)
> >>>
> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> >>> (msg:"MALWARE-CNC
> >>> W32/64.Napolar initial POST"; flow:to_server, established;
> >>> file_data;
> >>> content:"|26|u=USER_NAME|26|c=COMP_NAME|26|s="; fast_pattern:only;
> >>> metadata:policy balanced-ips drop, policy security-ips drop,
> >>> service
> >>> http, ruleset community;
> >>>
> >>
> >>
> >> reference:url,
> blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/
> >>> [1];
> >>> classtype:trojan-activity; sid:10000099; rev:1;)
> >>>
> >>> James
> >
> > Yep...variables:
> >
> >
> >
> http://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/
> >
> > Darn.
> >
> > James
>
> Meh:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> W32/64.Napolar initial POST"; flow:to_server, established; file_data;
> content:"POST"; http_method; content:"v="; content:"|26|u=";
> content:"|26|c="; content:"|26|s="; metadata:policy balanced-ips drop,
> policy security-ips drop, service http, ruleset community;
> reference:url,
> blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/
> ;
> classtype:trojan-activity; sid:10000099; rev:2;)
>
> This is probably cheesy....bet the proper way would be to lookup max
> username and machine name and allowed characters for winders and PCRE it
> up...but to be real honest I'm just not in the mood for pcre today ;)
>
> James
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph at ...435...
Sourcefire.com <http://www.sourcefire.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130930/f5395686/attachment.html>


More information about the Snort-sigs mailing list