[Snort-sigs] Win.Trojan.NeutrinoBot

Y M snort at ...3751...
Thu Mar 9 01:49:03 EST 2017


Hello,

The below rules were derived from the reference article. Reviewing the existing signature sid:32670, it may hit on the initial outbound connection. Subsequent traffic may not trigger the rule given the HTTP headers differences. No pcap is available for this one. If these rules seem redundant, please ignore them.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot initial outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie|3A 20|auth="; http_header; content:"ZW50ZXI="; http_client_body; content:!"Connection"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/; reference:url,www.virustotal.com/en/file/45abc50e837a3e0c4df842fe8c3aa54e103d690d67f89d78059878bd3acc67ab/analysis/; classtype:trojan-activity; sid:1000873; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot success inbound connection"; flow:to_client,established; content:"404"; http_stat_code; file_data; content:"<!---c3VjY2Vzcw==--->"; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/; reference:url,www.virustotal.com/en/file/45abc50e837a3e0c4df842fe8c3aa54e103d690d67f89d78059878bd3acc67ab/analysis/; classtype:trojan-activity; sid:1000874; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie|3A 20|auth="; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:"|20|form-data|3B|name=|22|fname|22|"; content:"|20|form-data|3B 20|name=|22|data|22|"; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/; reference:url,www.virustotal.com/en/file/45abc50e837a3e0c4df842fe8c3aa54e103d690d67f89d78059878bd3acc67ab/analysis/; classtype:trojan-activity; sid:1000875; rev:1;)

Thanks.
YM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170309/fb006773/attachment.html>


More information about the Snort-sigs mailing list