[Snort-sigs] Win.Trojan.Proxysvc

Phillip Lee phillile at sourcefire.com
Fri Apr 27 10:56:04 EDT 2018


Thanks for your submission. We will review the rules and get back to you when they're finished. 

Phil Lee
Cisco Talos

> On Apr 27, 2018, at 10:13 AM, Y M via Snort-sigs <snort-sigs at lists.snort.org> wrote:
> Hi,
> I was not able to find information to write signatures of the TLS traffic. However, the malware listener accepts rather unique HTTP traffic according to the analysis in the reference. No pcaps available.
> # Title: Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide
> # Reference: https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ <https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Proxysvc listener inbound execute command"; flow:to_server,established; content:"Content-Type|3A 20|8U7y3Ju387mVp49A"; fast_pattern:only; http_header; content:"Content-Length"; http_header; metadata:ruleset community, service http; reference:url,securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ <http://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/>; classtype:trojan-activity; sid:8000019; rev:1;)
> Thanks.
> YM
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org <mailto:Snort-sigs at lists.snort.org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180427/70b89538/attachment-0001.html>

More information about the Snort-sigs mailing list