[Snort-sigs] Win.Trojan.KopiLuwak Turla JS

Tyler Montier tmontier at ...435...
Tue Feb 14 10:37:51 EST 2017


Yaser,

Thanks for your submission. We will review and test the rules and get back
to you when they're finished.

Sincerely,

Tyler Montier
Cisco Talos

On Tue, Feb 14, 2017 at 5:30 AM, Y M <snort at ...3751...> wrote:

> Hello,
>
>
> The below signatures were derived from the article in the reference. Since
> there are no pcaps available, the below assumptions/thoughts were made.
>
>
> 1. For the first rule, it is assumed that the custom User-Agent ends with
> \x0d\x0a. It also may be a better idea to have the pcre as
> "[A-Z0-9a-z]{32}", but it written to avoid ambi
>
> 2. To avoid pcre, individual signatures were created per HTTP response.
> Perhaps it is better to combine all of them with pcre.
>
> 3. The HTTP response body does not end/contain any line terminators.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALAWARE-CNC
> Win.Trojan.KopiLuwak JS outbound request"; flow:to_server,established;
> content:"POST"; http_method; content:".php"; http_uri; content:"Mozilla/5.0
> (Windows NT 6.1|3B| Win64|3B| x64)|3B| "; fast_pattern:only; http_header;
> pcre:"/[0-9]{16}[A-Z0-9a-z]{16}\x0d\x0a$/mR";
> flowbits:set,kopiluwak.js.out; flowbits:noalert; metadata:ruleset
> community, service http; reference:url,securelist.com/
> blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/;
> classtype:trojan-activity; sid:1000828; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
> Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established;
> flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|";
> http_header; file_data; content:"good"; depth:4; isdataat:!0,relative;
> metadata:ruleset community, service http; reference:url,securelist.com/
> blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/;
> classtype:trojan-activity; sid:1000829; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
> Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established;
> flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|";
> http_header; file_data; content:"exit"; depth:4; isdataat:!0,relative;
> metadata:ruleset community, service http; reference:url,securelist.com/
> blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/;
> classtype:trojan-activity; sid:1000830; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
> Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established;
> flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|";
> http_header; file_data; content:"work"; depth:4; isdataat:!0,relative;
> metadata:ruleset community, service http; reference:url,securelist.com/
> blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/;
> classtype:trojan-activity; sid:1000831; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
> Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established;
> flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|";
> http_header; file_data; content:"fail"; depth:4; isdataat:!0,relative;
> metadata:ruleset community, service http; reference:url,securelist.com/
> blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/;
> classtype:trojan-activity; sid:1000832; rev:1;)
>
> Thanks.
>
> YM
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170214/873c8b1e/attachment.html>


More information about the Snort-sigs mailing list