[Snort-sigs] Win.Backdoor.StoneDrill

Tyler Montier tmontier at ...435...
Wed Mar 8 08:39:05 EST 2017


Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Sincerely,

Tyler Montier
Cisco Talos

On Tue, Mar 7, 2017 at 3:31 PM, Y M <snort at ...3751...> wrote:

> Hello,
>
>
> Hope all is well. The below rules were derived from the reference report.
> No pcaps are available, so the rules are only sanity checked.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Backdoor.StoneDrill server selection outbound connection";
> flow:to_server,established; content:"GET"; http_method;
> content:"/ct_if/ctpublic/Check_Exist.php"; fast_pattern:only; http_uri;
> metadata:ruleset community, service http; reference:url,securelist.com/
> files/2017/03/Report_Shamoon_StoneDrill_final.pdf;
> classtype:trojan-activity; sid:1000870; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Backdoor.StoneDrill login outbound connection";
> flow:to_server,established; content:"POST"; http_method;
> content:"username=MD5Sum"; fast_pattern:only; http_client_body;
> content:"&password=MD5Sum"; http_client_body; content:"&button=Login";
> http_client_body; content:"Referer|3A 20|"; http_header;
> content:"Connection|3A 20|close|0D 0A|"; http_header; content:"
> Firefox/23.0|0D 0A|"; http_header; metadata:ruleset community, service
> http; reference:url,securelist.com/files/2017/03/Report_Shamoon_
> StoneDrill_final.pdf; classtype:trojan-activity; sid:1000871; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Backdoor.StoneDrill get commands outbound connection";
> flow:to_server,established; content:"GET"; http_method;
> content:"/insert/index?id="; fast_pattern:only; http_uri; content:"&hst=";
> http_uri; content:"&ttype="; http_uri; content:"&state="; http_uri;
> content:"Cookie|3A 20|"; http_header; content:"Conneciton|3A 20|close|0D
> 0A|"; http_header; metadata:ruleset community, service http; reference:url,
> securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf;
> classtype:trojan-activity; sid:1000872; rev:1;)
>
> Thank you.
> YM
>
>
> ------------------------------------------------------------
> ------------------
> Announcing the Oxford Dictionaries API! The API offers world-renowned
> dictionary content that is easy and intuitive to access. Sign up for an
> account today to start using our lexical data to power your apps and
> projects. Get started today and enter our developer competition.
> http://sdm.link/oxford
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170308/5124c077/attachment.html>


More information about the Snort-sigs mailing list