[Snort-sigs] Multiple signatures 005

Y M snort at outlook.com
Mon Jul 23 12:59:44 EDT 2018


Hi,

May I suggest enjoying a21b5295ca0e1f10ca7c3f76b632e4de (Win.Trojan.Swrort below); PowerShell command execution via DNS TXT response. Pcaps are available for all of the rules.

# --------------------
# Date: 2018-07-21
# Title: Win.Trojan.Fuerboos, Win.Trojan.NeutrinoBot
# Tests: pcap
# Reference:
#    - https://www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot variant outbound connection"; flow:to_server,established; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie: "; http_header; content:"auth=1"; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection; classtype:trojan-activity; sid:8000190; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot variant outbound connection"; flow:to_server,established; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie: "; http_header; content:"cmd="; http_client_body; content:"&uid="; http_client_body; content:"&os="; http_client_body; content:"&av="; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection; classtype:trojan-activity; sid:8000191; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot variant outbound connection"; flow:to_server,established; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie: "; http_header; content:"fail="; http_client_body; content:"&task_id="; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection; classtype:trojan-activity; sid:8000192; rev:1;)

# --------------------
# Date: 2018-07-21
# Title: Win.Trojan.GenKryptik (Talso File Reputation: W32.3A4A773CDF-95.SBX.TG)
# Tests: pcap
# Reference:
#    - https://www.virustotal.com/#/file/3a4a773cdfa20182f6fab817d010a0a47e94784e1b02e009c1c5c9766b43a25f/detection
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GenKryptik outbound connection"; flow:to_server,established; urilen:10; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.1)"; fast_pattern:only; http_header; content:"/index.php"; http_uri; content:"POST"; http_method; content:"Content-Length"; http_header; content:!"Content-Type"; http_header; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/3a4a773cdfa20182f6fab817d010a0a47e94784e1b02e009c1c5c9766b43a25f/detection; classtype:trojan-activity; sid:8000194; rev:1;)

# --------------------
# Date: 2018-07-22
# Title: Win.Trojan.MSIL (ClamAV: Win.Trojan.Agent-1288686, Talos File Reputation: W32.Auto:cc093c.in03.Talos)
# Tests: pcap
# Reference:
#    - https://www.virustotal.com/#/file/cc093cca83f700878856b06cb3623a912550d44f82071e88cbbc160381391a91/detection
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL outbound conneciton"; flow:to_server,established; content:"&wallets="; fast_pattern:only; http_uri; content:"?hwid="; http_uri; content:"&pswd="; http_uri; content:"&telegram="; http_uri; content:"name=|22|file|22 3B|"; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/cc093cca83f700878856b06cb3623a912550d44f82071e88cbbc160381391a91/detection; classtype:trojan-activity; sid:8000195; rev:1;)

# --------------------
# Date: 2018-07-22
# Title: Win.Trojan.Swrort (ClamAV: Win.Trojan.Swrort-5710536-0)
# Tests: pcap
# Reference:
#    - https://www.virustotal.com/#/file/c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection
# Confidence: medium
# Notes:
#    - PowerShell execution via DNS TXT
#    - The word "shino" in the domains maybe referred as "what" in some dialects

alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC PowerShell command in DNS TXT Response"; flow:to_client; dsize:>100; content:"|00 10 00 01 00 00|"; content:"powershell "; distance:0; nocase; metadata:ruleset community, service dns; reference:url,www.virustotal.com/#/file/c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection; classtype:trojan-activity; sid:8000196; rev:1;)

alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC PowerShell command in DNS TXT Response"; flow:to_client; dsize:>100; content:"|00 10 00 01 00 00|"; content:"new-object net.webclient"; nocase; metadata:ruleset community, service dns; reference:url,www.virustotal.com/#/file/c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection; classtype:trojan-activity; sid:8000197; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS request for known malware domain shinohack.me - Win.Trojan.Swrort"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|shinohack|02|me"; fast_pattern:only; content:"|00 10 00 01|"; distance:0; metadata:ruleset community, service dns; reference:url,www.virustotal.com/#/file/c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection; classtype:trojan-activity; sid:8000198; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS request for known malware domain shinobotps1.com - Win.Trojan.Swrort"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|shinobotps1|03|com"; fast_pattern:only; content:"|00 01 00 01|"; distance:0; metadata:ruleset community, service dns; reference:url,www.virustotal.com/#/file/c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection; classtype:trojan-activity; sid:8000199; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Swrort inbound SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|55 04 03 13 0F|shinobotps1.com"; metadata:ruleset community, service ssl; reference:url,app.any.run/tasks/95c76eff-5118-46d1-9e62-cc5d4d2a1310; classtype:trojan-activity; sid:8000200; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180723/eea04177/attachment-0001.html>


More information about the Snort-sigs mailing list