[Snort-sigs] Osx.Trojan.Xagent

Tyler Montier tmontier at ...435...
Tue Feb 28 08:25:02 EST 2017


Yaser,

Thanks for your submission. I'll review and test this and get back to you
when its finished.

Since you have a pcap, can you send it my way?

Tyler Montier
Cisco Talos

On Mon, Feb 27, 2017 at 12:54 PM, Y M <snort at ...3751...> wrote:

> Hello,
>
>
> After trying multiple combinations, the below set of rules were the most
> efficient among all the combinations I had when profiled. Pcap is available.
>
>
> The rules are divided into two sets. The first is a catch-all regardless
> of the URL. The second set is tailored according to each URL. In either
> sets, the rules should catch (I think) both GET and POST requests; the
> resulting pcap did not contain any POST requests.
>
>
> First Set:
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
> content:"/?"; fast_pattern:only; http_uri; content:" (unknown version) ";
> http_header; content:" Darwin/"; within:30; http_header; content:"Accept|3A
> 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|keep-alive|0D 0A|";
> http_header; pcre:"/\/(search|find|results|open|search|close|watch)\/\x3f[a-zA-Z]{2,8}\x3d/U";
> content:!"Referer"; http_header; content:!"Cookie"; http_header;
> metadata:ruleset community, service http; reference:url,http://
> contagiodump.blogspot.com/2017/02/russian-apt-apt28-
> collection-of-samples.html; reference:url,download.
> bitdefender.com/resources/files/News/CaseStudies/study/
> 143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
> classtype:trojan-activity; sid:1000860; rev:1;)
>
>
> Or, the second Set:
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
> content:"/search/?"; fast_pattern:only; http_uri; content:" (unknown
> version) "; http_header; content:" Darwin/"; within:30; http_header;
> content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A
> 20|keep-alive|0D 0A|"; http_header; pcre:"/\/search\/\x3f[a-zA-Z]{2,8}\x3d/U";
> content:!"Referer"; http_header; content:!"Cookie"; http_header;
> metadata:ruleset community, service http; reference:url,http://
> contagiodump.blogspot.com/2017/02/russian-apt-apt28-
> collection-of-samples.html; reference:url,download.
> bitdefender.com/resources/files/News/CaseStudies/study/
> 143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
> classtype:trojan-activity; sid:1000861; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
> content:"/watch/?"; fast_pattern:only; http_uri; content:" (unknown
> version) "; http_header; content:" Darwin/"; within:30; http_header;
> content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A
> 20|keep-alive|0D 0A|"; http_header; pcre:"/\/watch\/\x3f[a-zA-Z]{2,8}\x3d/U";
> content:!"Referer"; http_header; content:!"Cookie"; http_header;
> metadata:ruleset community, service http; reference:url,http://
> contagiodump.blogspot.com/2017/02/russian-apt-apt28-
> collection-of-samples.html; reference:url,download.
> bitdefender.com/resources/files/News/CaseStudies/study/
> 143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
> classtype:trojan-activity; sid:1000862; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
> content:"/open/?"; fast_pattern:only; http_uri; content:" (unknown version)
> "; http_header; content:" Darwin/"; within:30; http_header;
> content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A
> 20|keep-alive|0D 0A|"; http_header; pcre:"/\/open\/\x3f[a-zA-Z]{2,8}\x3d/U";
> content:!"Referer"; http_header; content:!"Cookie"; http_header;
> metadata:ruleset community, service http; reference:url,http://
> contagiodump.blogspot.com/2017/02/russian-apt-apt28-
> collection-of-samples.html; reference:url,download.
> bitdefender.com/resources/files/News/CaseStudies/study/
> 143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
> classtype:trojan-activity; sid:1000863; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
> content:"/find/?"; fast_pattern:only; http_uri; content:" (unknown version)
> "; http_header; content:" Darwin/"; within:30; http_header;
> content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A
> 20|keep-alive|0D 0A|"; http_header; pcre:"/\/find\/\x3f[a-zA-Z]{2,8}\x3d/U";
> content:!"Referer"; http_header; content:!"Cookie"; http_header;
> metadata:ruleset community, service http; reference:url,http://
> contagiodump.blogspot.com/2017/02/russian-apt-apt28-
> collection-of-samples.html; reference:url,download.
> bitdefender.com/resources/files/News/CaseStudies/study/
> 143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
> classtype:trojan-activity; sid:1000864; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
> content:"/results/?"; fast_pattern:only; http_uri; content:" (unknown
> version) "; http_header; content:" Darwin/"; within:30; http_header;
> content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A
> 20|keep-alive|0D 0A|"; http_header; pcre:"/\/results\/\x3f[a-zA-Z]{2,8}\x3d/U";
> content:!"Referer"; http_header; content:!"Cookie"; http_header;
> metadata:ruleset community, service http; reference:url,http://
> contagiodump.blogspot.com/2017/02/russian-apt-apt28-
> collection-of-samples.html; reference:url,download.
> bitdefender.com/resources/files/News/CaseStudies/study/
> 143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
> classtype:trojan-activity; sid:1000865; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Osx.Trojan.Xagent outbound connection"; flow:to_server,established;
> content:"/close/?"; fast_pattern:only; http_uri; content:" (unknown
> version) "; http_header; content:" Darwin/"; within:30; http_header;
> content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A
> 20|keep-alive|0D 0A|"; http_header; pcre:"/\/close\/\x3f[a-zA-Z]{2,8}\x3d/U";
> content:!"Referer"; http_header; content:!"Cookie"; http_header;
> metadata:ruleset community, service http; reference:url,download.
> bitdefender.com/resources/files/News/CaseStudies/study/
> 143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf;
> classtype:trojan-activity; sid:1000866; rev:1;)
>
> Thank you.
>
> YM
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170228/adf4f79a/attachment.html>


More information about the Snort-sigs mailing list