[Snort-sigs] Careto/Mask Rules

Joel Esler (jesler) jesler at ...3865...
Wed Feb 12 12:01:50 EST 2014


Tony,

Thanks.  We’ve had a couple people send these in as well!  Fantastic! We’ll be shipping them soon.

--
Joel Esler
Threat Intelligence Team Lead
Open Source Manager
Vulnerability Research Team

On Feb 11, 2014, at 7:46 PM, Tony Robinson <deusexmachina667 at ...2420...> wrote:

> Howdy. Made and tested these based on the information provided in the
> Kaspersky Labs report. Most of these are just Blacklist DNS rules
> based off of the VRT template for DNS alerts, based of unique domain
> names Kaspersky identified during the Careto campaign.
> 
> Additionally, I've included a signature for the malicious user-agent
> associated with the malware, and included what I hope are rules that
> should prove to be useless what with the associated malware domains
> (hopefully) being taken down; their signatures looking for users
> requested the infected xpi and crx files with the sbd backdoor
> embedded.
> 
> This is my first time doing this, so if I'm doing something horribly
> wrong, please be gentle...
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain linkconf.net - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|08|linkconf|03|net|00|";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000010; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain redirserver.net - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|0B|redirserver|03|net|00|";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000011; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain swupdt.com - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|06|swupdt|03|com|00|";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000012; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain appleupdt.com - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|09|appleupdt|03|com|00|";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000013; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain msupdt.com - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|06|msupdt|03|com"; fast_pattern:only;
> metadata:impact_flag red, policy security-ips drop, service dns;
> reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000014; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain services.serveftp.org - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|08|services|08|serveftp|03|org";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000015; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain gx5369.dyndns.tv - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|06|gx5639|06|dyndns|02|tv";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000016; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain mango66.dyndns.org - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|07|mango66|06|dyndns|03|org";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000017; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain ctronlinenews.dyndns.tv - Careto ";
> flow:to_server; byte_test:1,!&,0xF8,2;
> content:"|0D|ctronlinenews|06|dyndns|02|tv"; fast_pattern:only;
> metadata:impact_flag red, policy security-ips drop, service dns;
> reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000018; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain fast8.homeftp.org - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|05|fast8|07|homeftp|03|org";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000019; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain wwnav.selfip.net - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|05|wwnav|06|selfip|03|net";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000020; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain dfup.selfip.net - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|04|dfup|06|selfip|03|net";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000021; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain takami.podzone.net - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|06|takami|07|podzone|03|net";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000022; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain ricush.ath.cx - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|06|ricush|03|ath|02|cx";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000023; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain carrus.gotdns.com - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|06|carrus|06|gotdns|03|com";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000024; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain takami.podzone.net - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|06|takami|07|podzone|03|net";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000025; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain cherry1962.dyndns.org - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|0A|cherry1962|06|dyndns|03|org";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000026; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain sv.serveftp.org - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|02|sv|08|serveftp|03|org";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000027; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain pl400.dyndns.org - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|05|pl400|06|dyndns|03|org";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000028; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain wqq.dyndns.org - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|03|wqq|06|dyndns|03|org";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000029; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain pininfarina.dynalias.com - Careto ";
> flow:to_server; byte_test:1,!&,0xF8,2;
> content:"|0B|pininfarina|08|dynalias|03|com"; fast_pattern:only;
> metadata:impact_flag red, policy security-ips drop, service dns;
> reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000030; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain nav1002.ath.cx - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|07|nav1002|03|ath|02|cx";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000031; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain prosoccer2.dyndns.info - Careto ";
> flow:to_server; byte_test:1,!&,0xF8,2;
> content:"|0A|prosoccer2|06|dyndns|04|info"; fast_pattern:only;
> metadata:impact_flag red, policy security-ips drop, service dns;
> reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000032; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain prosoccer1.dyndns.info - Careto ";
> flow:to_server; byte_test:1,!&,0xF8,2;
> content:"|0A|prosoccer1|06|dyndns|04|info"; fast_pattern:only;
> metadata:impact_flag red, policy security-ips drop, service dns;
> reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000033; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain tunga.homedns.org - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|05|tunga|07|homedns|03|org";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000034; rev:1;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
> known malware domain nthost.shacknet.nu - Careto "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|06|nthost|08|shacknet|02|nu";
> fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
> service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:1000035; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
> User-Agent known malicious user agent- Careto malware";
> flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0
> |28|compatible|3B| MSIE 4.01|3B| Windows NT|29|";  fast_pattern:only;
> http_header; metadata:impact_flag red, policy security-ips drop,
> service http; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:10000036; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
> URI - Careto XPI plugin download request - Linux";
> flow:to_server,established; content:"GET"; nocase; http_method;
> content:"/l/af_l_addon.xpi"; nocase; http_uri; metadata:impact_flag
> red, policy security-ips drop, service http;
> reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:10000037; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
> URI - Careto XPI plugin download request - OSX";
> flow:to_server,established; content:"GET"; nocase; http_method;
> content:"/m/af_l_addon.xpi"; nocase; http_uri; metadata:impact_flag
> red, policy security-ips drop, service http;
> reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:10000038; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
> URI - Careto CRX plugin download request - Windows";
> flow:to_server,established; content:"GET"; nocase; http_method;
> content:"/ag/plugin.crx"; nocase; http_uri; metadata:impact_flag red,
> policy security-ips drop, service http;
> reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
> classtype:trojan-activity; sid:10000039; rev:1;)
> 
> Cheers,
> 
> DA_667
> 
> 
> 
> -- 
> when does reality end? when does fantasy begin?
> <Careto-snort-rules.txt>------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list