[Snort-sigs] Win.Trojan.UDPOS

Phillip Lee phillile at sourcefire.com
Wed Feb 14 11:18:54 EST 2018


Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished. 

Can you send along the pcaps that you have? 

Regards,
Phil Lee
Cisco Talos

> On Feb 13, 2018, at 12:49 PM, Y M via Snort-sigs <snort-sigs at lists.snort.org> wrote:
> 
> Hi,
> 
> The below signatures are of the UDPOS point-of-sale malware. Pcap is available for this one. Opted for a rule per message as opposed to bundling message types into two rules.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UDPOS external IP address check attempt"; flow:to_server,established; content:"User-Agent|3A 20|Browser|0D 0A|"; fast_pattern:only; http_header; content:"/index.php?"; http_uri; content:"udpool="; distance:0; http_uri; metadata:ruleset community, service http; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000025; rev:1;)
> 
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|bin"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x03bin(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000026; rev:1;)
> 
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|trp"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x03trp(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000027; rev:1;)
> 
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|info"; offset:16; byte_test:1,<,40,0,relative; byte_jump:1,0,relative; byte_test:1,<,40,0,relative; byte_jump:1,0,relative; byte_test:1,<40,35,0,relative; byte_jump:1,0,relative; byte_test:1,<=,40,0,relative; pcre:"/[a-f0-9]{15}\x04info(([\x10-\x28][a-f0-9]{10,40}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000028; rev:1;)
> 
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|ping"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x04ping(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000029; rev:1;)
> 
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|note"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x04note(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000030; rev:1;)
> 
> Thanks.
> YM
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org <mailto:Snort-sigs at lists.snort.org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
> 
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>
> 
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180214/872127fa/attachment-0001.html>


More information about the Snort-sigs mailing list