[Snort-sigs] MALWARE-CNC Win.Trojan.Bedep variant outbound connection (1:33188)

Elliot Anderson new.http.451 at ...2420...
Tue Jan 19 16:37:49 EST 2016


Appreciate Joel,

drop a note here if you find out anything worth mentioning.

Cheers,
Elliot

> On 19 Jan 2016, at 23:33, Joel Esler (jesler) <jesler at ...3865...> wrote:
> 
> Elliot —
> 
> I’ll have someone take a look at this.. However, have you looked at sid 35448?
> 
> 
> --
> 
> 
> <image002.png>
> 
> Joel Esler
> Manager, Open Source & Threat Intelligence
> Talos
> jesler at ...3865... <mailto:jesler at ...3865...>
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>> On Jan 19, 2016, at 3:56 PM, Elliot Anderson <new.http.451 at ...2420... <mailto:new.http.451 at ...2420...>> wrote:
>> 
>> Hello all,
>> 
>> Anybody struggled with the 1:33188 sig previously. The thing is that this signature:
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection”; flow:to_server,established; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; http_uri; content:"Host|3A 20|www.ecb.europa.eu <http://www.ecb.europa.eu/>|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33188; rev:4; )
>> 
>> Quite often triggers on legitimate traffic not associated with any CNC connections, just simple browsing and request for file from the European Central Bank (ECB) which contains the last 90 days of “Euro foreign exchange reference rates” and is updated daily. However Trojan Bedep uses it as part of DGA scheme.
>> 
>> Are there any supplement signatures for this activity cause this one isn't working exactly the way we would like and expect it to work.
>> 
>> Thanks for any comments,
>> Elliot
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________ <http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________>
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160119/51201203/attachment.html>


More information about the Snort-sigs mailing list