[Snort-sigs] Careto/Mask Rules

Tony Robinson deusexmachina667 at ...2420...
Tue Feb 11 19:46:10 EST 2014


Howdy. Made and tested these based on the information provided in the
Kaspersky Labs report. Most of these are just Blacklist DNS rules
based off of the VRT template for DNS alerts, based of unique domain
names Kaspersky identified during the Careto campaign.

Additionally, I've included a signature for the malicious user-agent
associated with the malware, and included what I hope are rules that
should prove to be useless what with the associated malware domains
(hopefully) being taken down; their signatures looking for users
requested the infected xpi and crx files with the sbd backdoor
embedded.

This is my first time doing this, so if I'm doing something horribly
wrong, please be gentle...

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain linkconf.net - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|08|linkconf|03|net|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000010; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain redirserver.net - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0B|redirserver|03|net|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000011; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain swupdt.com - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|swupdt|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000012; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain appleupdt.com - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|appleupdt|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000013; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain msupdt.com - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|msupdt|03|com"; fast_pattern:only;
metadata:impact_flag red, policy security-ips drop, service dns;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000014; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain services.serveftp.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|08|services|08|serveftp|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000015; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain gx5369.dyndns.tv - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|gx5639|06|dyndns|02|tv";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000016; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain mango66.dyndns.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|mango66|06|dyndns|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000017; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain ctronlinenews.dyndns.tv - Careto ";
flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0D|ctronlinenews|06|dyndns|02|tv"; fast_pattern:only;
metadata:impact_flag red, policy security-ips drop, service dns;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000018; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain fast8.homeftp.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|fast8|07|homeftp|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000019; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain wwnav.selfip.net - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|wwnav|06|selfip|03|net";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000020; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain dfup.selfip.net - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|dfup|06|selfip|03|net";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000021; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain takami.podzone.net - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|takami|07|podzone|03|net";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000022; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain ricush.ath.cx - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|ricush|03|ath|02|cx";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000023; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain carrus.gotdns.com - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|carrus|06|gotdns|03|com";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000024; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain takami.podzone.net - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|takami|07|podzone|03|net";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000025; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain cherry1962.dyndns.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|cherry1962|06|dyndns|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000026; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain sv.serveftp.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|02|sv|08|serveftp|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000027; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain pl400.dyndns.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|pl400|06|dyndns|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000028; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain wqq.dyndns.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|wqq|06|dyndns|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000029; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain pininfarina.dynalias.com - Careto ";
flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0B|pininfarina|08|dynalias|03|com"; fast_pattern:only;
metadata:impact_flag red, policy security-ips drop, service dns;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000030; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain nav1002.ath.cx - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|nav1002|03|ath|02|cx";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000031; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain prosoccer2.dyndns.info - Careto ";
flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0A|prosoccer2|06|dyndns|04|info"; fast_pattern:only;
metadata:impact_flag red, policy security-ips drop, service dns;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000032; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain prosoccer1.dyndns.info - Careto ";
flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0A|prosoccer1|06|dyndns|04|info"; fast_pattern:only;
metadata:impact_flag red, policy security-ips drop, service dns;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000033; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain tunga.homedns.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|tunga|07|homedns|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000034; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain nthost.shacknet.nu - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|nthost|08|shacknet|02|nu";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000035; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
User-Agent known malicious user agent- Careto malware";
flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0
|28|compatible|3B| MSIE 4.01|3B| Windows NT|29|";  fast_pattern:only;
http_header; metadata:impact_flag red, policy security-ips drop,
service http; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:10000036; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
URI - Careto XPI plugin download request - Linux";
flow:to_server,established; content:"GET"; nocase; http_method;
content:"/l/af_l_addon.xpi"; nocase; http_uri; metadata:impact_flag
red, policy security-ips drop, service http;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:10000037; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
URI - Careto XPI plugin download request - OSX";
flow:to_server,established; content:"GET"; nocase; http_method;
content:"/m/af_l_addon.xpi"; nocase; http_uri; metadata:impact_flag
red, policy security-ips drop, service http;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:10000038; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
URI - Careto CRX plugin download request - Windows";
flow:to_server,established; content:"GET"; nocase; http_method;
content:"/ag/plugin.crx"; nocase; http_uri; metadata:impact_flag red,
policy security-ips drop, service http;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:10000039; rev:1;)

Cheers,

DA_667



-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain linkconf.net - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|linkconf|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000010; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain redirserver.net - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|redirserver|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000011; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain swupdt.com - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|swupdt|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000012; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain appleupdt.com - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|appleupdt|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000013; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain msupdt.com - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|msupdt|03|com"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000014; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain services.serveftp.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|services|08|serveftp|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000015; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain gx5369.dyndns.tv - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gx5639|06|dyndns|02|tv"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000016; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain mango66.dyndns.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mango66|06|dyndns|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000017; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain ctronlinenews.dyndns.tv - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|ctronlinenews|06|dyndns|02|tv"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000018; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain fast8.homeftp.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|fast8|07|homeftp|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000019; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain wwnav.selfip.net - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|wwnav|06|selfip|03|net"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000020; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain dfup.selfip.net - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dfup|06|selfip|03|net"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000021; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain takami.podzone.net - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|takami|07|podzone|03|net"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000022; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain ricush.ath.cx - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ricush|03|ath|02|cx"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000023; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain carrus.gotdns.com - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|carrus|06|gotdns|03|com"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000024; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain takami.podzone.net - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|takami|07|podzone|03|net"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000025; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain cherry1962.dyndns.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cherry1962|06|dyndns|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000026; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain sv.serveftp.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|sv|08|serveftp|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000027; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain pl400.dyndns.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|pl400|06|dyndns|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000028; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain wqq.dyndns.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|wqq|06|dyndns|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000029; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain pininfarina.dynalias.com - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pininfarina|08|dynalias|03|com"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000030; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain nav1002.ath.cx - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|nav1002|03|ath|02|cx"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000031; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain prosoccer2.dyndns.info - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|prosoccer2|06|dyndns|04|info"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000032; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain prosoccer1.dyndns.info - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|prosoccer1|06|dyndns|04|info"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000033; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain tunga.homedns.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|tunga|07|homedns|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000034; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain nthost.shacknet.nu - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|nthost|08|shacknet|02|nu"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000035; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent- Careto malware"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 4.01|3B| Windows NT|29|";  fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:10000036; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST URI - Careto XPI plugin download request - Linux"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/l/af_l_addon.xpi"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:10000037; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST URI - Careto XPI plugin download request - OSX"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/m/af_l_addon.xpi"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:10000038; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST URI - Careto CRX plugin download request - Windows"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/ag/plugin.crx"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:10000039; rev:1;)


More information about the Snort-sigs mailing list