[Snort-sigs] Assist with FrameworkPOS sig

James Lay jlay at ...3266...
Wed Oct 15 14:19:03 EDT 2014


Hey all,

I'm attempting to get something going for the below:

https://blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html

In a nutshell I'm trying to create a couple sigs to match:

     Id.beacon.encoded_data1.encoded_data2.domain.com

This request is the heartbeat. The ID is a random ID generated during 
the first execution of the malware. Encoded_data1 is the IP address of 
the infected machine and encoded_data2 is the host name of the machine.

     Id.alert.encoded_data3.domain.com

The ID is the same random ID as used in the example above and 
encoded_data3 is a process name. The attackers receive the process name 
each time a credit card number is found in the memory.


An example DNS request:

c5008015.beacon.c3cbc0dcc3c4cadcc4cbdcc4cb.a2b3a7bedfb3b0b1c3c0c1c6.domain.com

alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC FrameworkPOS 
beacon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|beacon|1A|; 
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, 
policy security-ips drop, service dns; 
reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html/; 
classtype:trojan-activity; sid:10000137; rev:1;)

What I don't have intel on is if the values before and after beacon and 
alert change length.  Is pcre a good fit for this?  Or something else?  
Thanks for looking all.

James





More information about the Snort-sigs mailing list