[Snort-sigs] Multiple signatures 005

Marcos Rodriguez mrodriguez at sourcefire.com
Mon Jul 23 14:55:58 EDT 2018


On Mon, Jul 23, 2018 at 12:59 PM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hi,
>
> May I suggest enjoying a21b5295ca0e1f10ca7c3f76b632e4de
> (Win.Trojan.Swrort below); PowerShell command execution via DNS TXT
> response. Pcaps are available for all of the rules.
>
> # --------------------
> # Date: 2018-07-21
> # Title: Win.Trojan.Fuerboos, Win.Trojan.NeutrinoBot
> # Tests: pcap
> # Reference:
> #    - https://www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173
> e615c2f3d95a46f2059d06050dd7dbcb0f/detection
> # Confidence: medium
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.NeutrinoBot variant outbound connection";
> flow:to_server,established; content:"/tasks.php"; fast_pattern:only;
> http_uri; content:"Cookie: "; http_header; content:"auth=1";
> http_client_body; metadata:ruleset community, service http; reference:url,
> www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173
> e615c2f3d95a46f2059d06050dd7dbcb0f/detection; classtype:trojan-activity;
> sid:8000190; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.NeutrinoBot variant outbound connection";
> flow:to_server,established; content:"/tasks.php"; fast_pattern:only;
> http_uri; content:"Cookie: "; http_header; content:"cmd=";
> http_client_body; content:"&uid="; http_client_body; content:"&os=";
> http_client_body; content:"&av="; http_client_body; metadata:ruleset
> community, service http; reference:url,www.virustotal.com/#/file/
> 8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection;
> classtype:trojan-activity; sid:8000191; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.NeutrinoBot variant outbound connection";
> flow:to_server,established; content:"/tasks.php"; fast_pattern:only;
> http_uri; content:"Cookie: "; http_header; content:"fail=";
> http_client_body; content:"&task_id="; http_client_body; metadata:ruleset
> community, service http; reference:url,www.virustotal.com/#/file/
> 8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection;
> classtype:trojan-activity; sid:8000192; rev:1;)
>
> # --------------------
> # Date: 2018-07-21
> # Title: Win.Trojan.GenKryptik (Talso File Reputation:
> W32.3A4A773CDF-95.SBX.TG)
> # Tests: pcap
> # Reference:
> #    - https://www.virustotal.com/#/file/3a4a773cdfa20182f6fab817d010a0
> a47e94784e1b02e009c1c5c9766b43a25f/detection
> # Confidence: medium
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.GenKryptik outbound connection"; flow:to_server,established;
> urilen:10; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B|
> Windows NT 5.1)"; fast_pattern:only; http_header; content:"/index.php";
> http_uri; content:"POST"; http_method; content:"Content-Length";
> http_header; content:!"Content-Type"; http_header; content:!"Connection";
> http_header; content:!"Accept"; http_header; content:!"Referer";
> http_header; metadata:ruleset community, service http; reference:url,
> www.virustotal.com/#/file/3a4a773cdfa20182f6fab817d010a0
> a47e94784e1b02e009c1c5c9766b43a25f/detection; classtype:trojan-activity;
> sid:8000194; rev:1;)
>
> # --------------------
> # Date: 2018-07-22
> # Title: Win.Trojan.MSIL (ClamAV: Win.Trojan.Agent-1288686, Talos File
> Reputation: W32.Auto:cc093c.in03.Talos)
> # Tests: pcap
> # Reference:
> #    - https://www.virustotal.com/#/file/cc093cca83f700878856b06cb3623a
> 912550d44f82071e88cbbc160381391a91/detection
> # Confidence: medium
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.MSIL outbound conneciton"; flow:to_server,established;
> content:"&wallets="; fast_pattern:only; http_uri; content:"?hwid=";
> http_uri; content:"&pswd="; http_uri; content:"&telegram="; http_uri;
> content:"name=|22|file|22 3B|"; http_client_body; content:!"User-Agent";
> http_header; metadata:ruleset community, service http; reference:url,
> www.virustotal.com/#/file/cc093cca83f700878856b06cb3623a
> 912550d44f82071e88cbbc160381391a91/detection; classtype:trojan-activity;
> sid:8000195; rev:1;)
>
> # --------------------
> # Date: 2018-07-22
> # Title: Win.Trojan.Swrort (ClamAV: Win.Trojan.Swrort-5710536-0)
> # Tests: pcap
> # Reference:
> #    - https://www.virustotal.com/#/file/c4f069d079330cd46e51f9469c2701
> 5ed34c6371481df83a323bc098f3b53382/detection
> # Confidence: medium
> # Notes:
> #    - PowerShell execution via DNS TXT
> #    - The word "shino" in the domains maybe referred as "what" in some
> dialects
>
> alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC PowerShell command in
> DNS TXT Response"; flow:to_client; dsize:>100; content:"|00 10 00 01 00
> 00|"; content:"powershell "; distance:0; nocase; metadata:ruleset
> community, service dns; reference:url,www.virustotal.com/#/file/
> c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection;
> classtype:trojan-activity; sid:8000196; rev:1;)
>
> alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC PowerShell command in
> DNS TXT Response"; flow:to_client; dsize:>100; content:"|00 10 00 01 00
> 00|"; content:"new-object net.webclient"; nocase; metadata:ruleset
> community, service dns; reference:url,www.virustotal.com/#/file/
> c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection;
> classtype:trojan-activity; sid:8000197; rev:1;)
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS
> request for known malware domain shinohack.me - Win.Trojan.Swrort";
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|shinohack|02|me";
> fast_pattern:only; content:"|00 10 00 01|"; distance:0; metadata:ruleset
> community, service dns; reference:url,www.virustotal.com/#/file/
> c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection;
> classtype:trojan-activity; sid:8000198; rev:1;)
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS
> request for known malware domain shinobotps1.com - Win.Trojan.Swrort";
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|shinobotps1|03|com";
> fast_pattern:only; content:"|00 01 00 01|"; distance:0; metadata:ruleset
> community, service dns; reference:url,www.virustotal.com/#/file/
> c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection;
> classtype:trojan-activity; sid:8000199; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
> Win.Trojan.Swrort inbound SSL certificate"; flow:to_client,established;
> content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|";
> distance:3; content:"|55 04 03 13 0F|shinobotps1.com"; metadata:ruleset
> community, service ssl; reference:url,app.any.run/
> tasks/95c76eff-5118-46d1-9e62-cc5d4d2a1310; classtype:trojan-activity;
> sid:8000200; rev:1;)
>
> Thanks.
> YM
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
Hi Yaser,

Thanks for these submissions. We will review each of them and get back to
you when finished.  We'd appreciate any pcaps you could send, including the
follow-up email you sent for CVE-2018-2894. Have a great day!


-- 
Marcos Rodriguez
Cisco Talos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180723/0137e36e/attachment-0001.html>


More information about the Snort-sigs mailing list