[Snort-sigs] Win.Backdoor.StoneDrill

Y M snort at ...3751...
Tue Mar 7 15:31:05 EST 2017


Hello,


Hope all is well. The below rules were derived from the reference report. No pcaps are available, so the rules are only sanity checked.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/ct_if/ctpublic/Check_Exist.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:1000870; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"username=MD5Sum"; fast_pattern:only; http_client_body; content:"&password=MD5Sum"; http_client_body; content:"&button=Login"; http_client_body; content:"Referer|3A 20|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:" Firefox/23.0|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:1000871; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/insert/index?id="; fast_pattern:only; http_uri; content:"&hst="; http_uri; content:"&ttype="; http_uri; content:"&state="; http_uri; content:"Cookie|3A 20|"; http_header; content:"Conneciton|3A 20|close|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:1000872; rev:1;)

Thank you.
YM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170307/31d7151c/attachment.html>


More information about the Snort-sigs mailing list