[Snort-sigs] [Emerging-Sigs] Wirelurker A and B

James Lay jlay at ...3266...
Thu Nov 6 15:35:21 EST 2014


On 2014-11-06 13:16, rmkml wrote:
> Thx James and James ;)
>
> Maybe add http_header please ?
>
> Regards
> @Rmkml
>
>
> On Thu, 6 Nov 2014, James Espinosa wrote:
>
>> Thanks, James! I believe there should be a space between the 
>> User-Agent|3A| and globalupdate (at least it appears that way in the 
>> report). Can I suggest the following as a fix?
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
>> (msg:"MALWARE-CNC OSX.Trojan.Wirelurker.AB"; 
>> flow:to_server,established; content:"User-Agent|3A| globalupdate"; 
>> fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, 
>> policy security-ips
>> drop, service http; reference: 
>> url,researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware; 
>> classtype:trojan-activity; sid:10000138; rev:1;)
>> Thanks,
>> james espinosa
>> security researcher
>> 847.497.5237 @ jamesejr.com
>> On Thu, Nov 6, 2014 at 10:47 AM, James Lay 
>> <jlay at ...3266...> wrote:
>>       May help someone somewhere...a quick search of 
>> http://www.ua-tracker.com/ showed no known UA with globalupdate, so I 
>> figured I'd just look for that and be done with it.
>>
>>       alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
>> (msg:"MALWARE-CNC OSX.Trojan.Wirelurker.AB"; 
>> flow:to_server,established; content:"User-Agent|3A|globalupdate"; 
>> fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, 
>> policy
>>       security-ips drop, service http; reference: 
>> url,researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware; 
>> classtype:trojan-activity; sid:10000138; rev:1;)
>>
>>       Rev C uses encrypted channels, so uh...hope you don't get C.  
>> As always fixes are welcome.
>>
>>       James
>>       _______________________________________________
>>       Emerging-sigs mailing list
>>       Emerging-sigs at ...3694...
>>       
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>       Support Emerging Threats! Subscribe to Emerging Threats Pro 
>> http://www.emergingthreats.net
>>
>>
>>
>>

Heh...thanks James and @Rmkml...good catch to both:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
OSX.Trojan.Wirelurker.AB"; flow:to_server,established; 
content:"User-Agent|3A| globalupdate"; http_header; fast_pattern:only; 
metadata:impact_flag red, policy balanced-ips drop, policy security-ips 
drop, service http; reference: 
url,researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware; 
classtype:trojan-activity; sid:10000138; rev:1;)

James




More information about the Snort-sigs mailing list