[Snort-sigs] Assist with FrameworkPOS sig

rmkml rmkml at ...174...
Wed Oct 15 15:28:20 EDT 2014


Thx James for sharing,

Could you check this revision please ? (not tested)

  alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC FrameworkPOS beacon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|beacon;
  fast_pattern:only;
pcre:"/\x08[a-f0-9]{8}\x06beacon[\x18-\x60][a-f0-9]{24,96}[\x18-\x60][a-f0-9]{24,96}[\x03-\x60]\w{3,96}[\x02-\x06]\w{2,6}\x00/";
metadata:impact_flag red, policy balanced-ips drop,
  policy security-ips drop, service dns; 
reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html/;
  classtype:trojan-activity; sid:10000137; rev:2;)

c5008015
-> \x08[a-f0-9]{8}

.beacon
-> \x06beacon

.c3cbc0dcc3c4cadcc4cbdcc4cb
-> [\x18-\x60][a-f0-9]{24,96}

.a2b3a7bedfb3b0b1c3c0c1c6
-> [\x18-\x60][a-f0-9]{24,96}

.domain
-> [\x03-\x60]\w{3,96}

.com
[\x02-\x06]\w{2,6}\x00

Comments is welcome ;)

Regards
@Rmkml



On Wed, 15 Oct 2014, James Lay wrote:

> Hey all,
>
> I'm attempting to get something going for the below:
>
> https://blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html
>
> In a nutshell I'm trying to create a couple sigs to match:
>
>     Id.beacon.encoded_data1.encoded_data2.domain.com
>
> This request is the heartbeat. The ID is a random ID generated during
> the first execution of the malware. Encoded_data1 is the IP address of
> the infected machine and encoded_data2 is the host name of the machine.
>
>     Id.alert.encoded_data3.domain.com
>
> The ID is the same random ID as used in the example above and
> encoded_data3 is a process name. The attackers receive the process name
> each time a credit card number is found in the memory.
>
>
> An example DNS request:
>
> c5008015.beacon.c3cbc0dcc3c4cadcc4cbdcc4cb.a2b3a7bedfb3b0b1c3c0c1c6.domain.com
>
> alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC FrameworkPOS
> beacon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|beacon|1A|;
> fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
> policy security-ips drop, service dns;
> reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html/;
> classtype:trojan-activity; sid:10000137; rev:1;)
>
> What I don't have intel on is if the values before and after beacon and
> alert change length.  Is pcre a good fit for this?  Or something else?
> Thanks for looking all.
>
> James




More information about the Snort-sigs mailing list