[Snort-sigs] RAT sigs from CrowdStrike Report

Y M snort at ...3751...
Wed Jul 16 16:21:10 EDT 2014


Yes, now I remember reading this post (another face-palm) and double RTFM.
Thanks Joel.YM

From: jesler at ...3865...
To: snort at ...3751...
CC: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] RAT sigs from CrowdStrike Report
Date: Wed, 16 Jul 2014 20:14:46 +0000






We may be able to add some of yours below, but check out:



http://vrt-blog.snort.org/2014/06/detection-for-putterpanda-we-got-this.html



--

Joel Esler

Open Source Manager

Threat Intelligence Team Lead

Vulnerability Research Team




On Jul 16, 2014, at 4:05 PM, Y M <snort at ...3751...> wrote:



So as soon as started reading the CrowdStrike report (http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf) I
 tried writing sigs for what's in the report, only to find out later that it had the sigs written already (face-palm). Lesson of the day: RTFM.



Not sure if these are already in the current ruleset.





Here is my shot at it:




alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.4HRAT beacon request"; flow:to_server,established; content:"/search?"; http_uri; pcre:"/\/search[0-9]{5}?/"; fast_pattern:only;
 content:"h1="; http_uri; content:"&h2="; http_uri; content:"&h3="; http_uri; content:"&h4="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100234; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT initial beacon request"; flow:to_server,established; content:"GET"; http_method; content:"/default/connect.aspx?";
 http_uri; fast_pattern:only; content:"ID="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 20|; http_header; content:!"Content-Length|3A
 20|; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100235; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT C2 registration"; flow:to_server, established; content:"POST"; http_method; content:"/default/connect.aspx?";
 http_uri; fast_pattern:only; content:"ID="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 20|; http_header; metadata:policy
 balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100236; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT task request"; flow:to_server,established; content:"/getupdate/default.aspx?ID="; http_uri; pcre:"/\x3agetupdate\x3adefault\x2easp\x3fID=[0-9]{5}para1=\x2d[0-9]{8,10}para2=\x2d[0-9]{8-10}para3=\x2d[0-9]{2}/";
 content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100237; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT beacon request"; flow:to_server,established; content:"/MicrosoftUpdate/ShellEX/KB"; pcre:"/\x3aMicrosoftUpdate\x3aShellEX\x3aKB[0-9]{7}\x3adefault\x2easpx\x3ftmp=/"
 http_uri; fast_pattern:only;  content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100238; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT C2 request"; flow:to_server,established; content:"/Microsoft/errorpost"; pcre:"/\x3aMicrosoft\x3aerrorpost[0-9]{7}\x3adefault\x2easpx\x3ftmp=/"
 http_uri; fast_pattern:only;  content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100239; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT C2 request"; flow:to_server,established; content:"/MicrosoftUpdate/GetUpdate/KB"; pcre:"/\x3aMicrosoftUpdate\x3aGetUpdate\x3aKB[0-9]{7}\x3adefault\x2easpx\x3ftmp=/"
 http_uri; fast_pattern:only;  content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf;
 classtype:trojan-activity; sid:100240; rev:1;)



I guess some signatures can be made more generic.



YM




------------------------------------------------------------------------------

Want fast and easy access to all the code in your enterprise? Index and

search up to 200,000 lines of code with a free copy of Black Duck

Code Sight - the same software that powers the world's largest code

search on Ohloh, the Black Duck Open Hub! Try it now.

http://p.sf.net/sfu/bds_______________________________________________

Snort-sigs mailing list

Snort-sigs at lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org





Please visit http://blog.snort.org for the latest news about Snort!




 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140716/00262a04/attachment.html>


More information about the Snort-sigs mailing list