[Snort-sigs] Win.Malware.Disttrack

Tyler Montier tmontier at ...435...
Fri Feb 10 10:25:49 EST 2017


Dear Yaser,

Thanks for your submission. We will review and test the rules and get back
to you when they're finished.

Do you have any pcaps available?

Sincerely

Tyler Montier
Cisco Talos


On Fri, Feb 10, 2017 at 4:45 AM, Y M <snort at ...3751...> wrote:

> Hello,
>
>
> The below signatures are derived from the article in the reference. There
> is a hardcoded User-Agent with HTTP "parameters". It is not clear whether
> these parameters are HTTP URL or Body parameters. There is also a mention
> of a specific domain. The rules have been sanity checked only. No pcaps
> available.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Malware.Disttrack variant outbound connection";
> flow:to_server,established; content:"commandid="; nocase;
> fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/5.0 (Windows
> NT 6.3|3B| Trident/7.0|3B| rv:11) like Gecko|0D 0A|"; http_header;
> metadata:ruleset community, service http; reference:url,blog.
> vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack;
> classtype:trojan-activity; sid:1000825; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Malware.Disttrack variant outbound connection";
> flow:to_server,established; content:"commandid="; nocase;
> fast_pattern:only; http_client_body; content:"User-Agent|3A 20|Mozilla/5.0
> (Windows NT 6.3|3B| Trident/7.0|3B| rv:11) like Gecko|0D 0A|"; http_header;
> metadata:ruleset community, service http; reference:url,blog.
> vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack;
> classtype:trojan-activity; sid:1000826; rev:1;)
>
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
> malware domain update.winappupdater.com - Win.Malware.Disttrack";
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|update|0D|winappupdater|03|com|00|";
> fast_pattern:only; metadata:ruleset community, service dns; reference:url,
> blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack;
> classtype:trojan-activity; sid:1000827; rev:1;)
>
> Thank you.
>
> YM
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170210/e560446b/attachment.html>


More information about the Snort-sigs mailing list