[Snort-sigs] Win.Trojan.KopiLuwak Turla JS

Y M snort at ...3751...
Tue Feb 14 05:30:08 EST 2017


Hello,


The below signatures were derived from the article in the reference. Since there are no pcaps available, the below assumptions/thoughts were made.


1. For the first rule, it is assumed that the custom User-Agent ends with \x0d\x0a. It also may be a better idea to have the pcre as "[A-Z0-9a-z]{32}", but it written to avoid ambi

2. To avoid pcre, individual signatures were created per HTTP response. Perhaps it is better to combine all of them with pcre.

3. The HTTP response body does not end/contain any line terminators.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALAWARE-CNC Win.Trojan.KopiLuwak JS outbound request"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Mozilla/5.0 (Windows NT 6.1|3B| Win64|3B| x64)|3B| "; fast_pattern:only; http_header; pcre:"/[0-9]{16}[A-Z0-9a-z]{16}\x0d\x0a$/mR"; flowbits:set,kopiluwak.js.out; flowbits:noalert; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000828; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|"; http_header; file_data; content:"good"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000829; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|"; http_header; file_data; content:"exit"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000830; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|"; http_header; file_data; content:"work"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000831; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|"; http_header; file_data; content:"fail"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000832; rev:1;)


Thanks.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170214/ec43c2b4/attachment.html>


More information about the Snort-sigs mailing list