[Snort-sigs] Multiple signatures 007

Y M snort at outlook.com
Mon Jul 30 14:09:48 EDT 2018


Hi,

An existing sid (45907) from the ruleset may require updates. Please see the notes associated with sid 8000217 below. Pcaps available for most the rules below.

# --------------------
# Date: 2018-07-29
# Title: CVE-2018-9919, Tpshop 2.0.8 Arbitrary File Download / SSRF
# Reference: https://packetstormsecurity.com/files/147434/Tpshop-2.0.8-Arbitrary-File-Download-SSRF.html
# Tests: syntax only

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tpshop arbitrary file download attempt"; flow:to_server,established; urilen:>100; content:"/LinkTagTeet.php?"; fast_pattern:only; http_uri; content:"down_url="; http_uri; reference:cve,2018-9919; reference:url,packetstormsecurity.com/files/147434/Tpshop-2.0.8-Arbitrary-File-Download-SSRF.html; metadata:ruleset community, service http; classtype:attempted-admin; sid:8000215; rev:1;)

# --------------------
# Date: 2018-07-30
# Title: A mining multitool - Symbiosis of PowerShell and EternalBlue for cryptocurrency mining
# Reference:
#     - https://securelist.com/a-mining-multitool/86950/
# Tests: pcap
# Confidence: low
# Notes:
#     1. This relates to the decimal/base64 encoded binary downloads with the same HTTP
#        response headers as reported in "Multiple signatures 006" sid 8000209-8000210.
#        This was a coincedence and the reference was observed on 2018-07-30.
#     2. Not friendly with HTTP buffers/content matches.
#     2. SID 1:33872, MALWARE-CNC Win.Worm.Urahu is still relevant.
#     3. This maybe also referred to as Skillis, Rozena, Urahu, Nitol, PowerGhost, and similar to WannaMine.

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.PowerGhost outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0+|0D 0A|"; fast_pattern:only; content:!"Connection"; metadata:ruleset community, service http; reference:url,securelist.com/a-mining-multitool/86950/; classtype:trojan-activity; sid:8000216; rev:1;)

# --------------------
# Date: 2018-07-30
# Title: New Threat Actor Group DarkHydrus Targets Middle East Government
# Reference:
#     - https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
# Tests: pcap
# Confidence: low
# Notes:
#     1. Existing sid 45907 requires modifications by changing the direction of the rule as follows:
#        alert udp $HOME_NET any -> $EXTERNAL_NET 53. This change is not posted below.
#     2. SID 8000217 has pcre to help eliminate FPs. Maybe add detection_filter?

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"MALWARE-CNC excessive DNS large TXT response records with zero-based TTL"; flow:to_client; dsize:>250; content:"|00 10 00 01|"; content:"|00 00 00 00|"; distance:0; fast_pattern; byte_test:1,>,190,2,relative; pcre:"/[\x41-\x5a\x61-\x7a]{190,255}/"; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000217; rev:1;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC inbound null SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|30 07 06 03 55 04 06 13 00 31 09|"; content:"|30 07 06 03 55 04 08 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 07 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 0A 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 0B 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 03 13 00|"; distance:0; metadata:ruleset community, service ssl; classtype:trojan-activity; sid:8000218; rev:1;)

# --------------------
# Date: 2018-07-30
# Title: PUA Adware Tweakbit
# Reference: Research
#     - https://www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection
# Tests: pcap
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Tweakbit outbound connection"; flow:to_server,established; urilen:8; content:"/collect"; fast_pattern:only; http_uri; content:"v="; http_client_body; content:"&tid="; http_client_body; content:"&cid="; http_client_body; content:"&ea="; http_client_body; content:"&el="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity; sid:8000219; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Tweakbit outbound connection"; flow:to_server,established; content:"/tools/offers/"; fast_pattern:only; http_uri; content:"data=|7B|"; http_client_body; content:"|22|protocol|22|"; http_client_body; content:"|22|product|22|"; http_client_body; content:"|22|oslanguage|22|"; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity; sid:8000220; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Tweakbit outbound connection"; flow:to_server,established; content:"/tools/uninstalloffers/"; fast_pattern:only; http_uri; content:"request=|7B|"; http_client_body; content:"|22|protocol|22|"; http_client_body; content:"|22|product|22|"; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity; sid:8000221; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Tweakbit outbound connection"; flow:to_server,established; content:"/driverservice.asmx"; fast_pattern:only; http_uri; content:"SOAPAction: "; http_header; content:"<operatingSystemMajorVersion>"; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity; sid:8000222; rev:1;)

# --------------------
# Date: 2018-07-30
# Title: PUA Adware AdNaver
# Reference: Research
#     - https://www.virustotal.com/#/file/9cab0520f4d7c3ecbc310e55282861ca20d53959eaf6e93d8d6aa717347819da/detection
#     - https://app.any.run/tasks/16de6eff-d745-43d0-b463-a542e27ed4e5
# Tests: pcap
# Confidence: low

alert udp $HOME_NET any -> $EXTERNAL_NET 15000 (msg:"PUA-ADWARE AdNaver NAT service successful installation"; flow:to_server; content:"INSTALL|09|"; content:"|09 09|"; distance:36; content:"|5C|NAT Service|5C|"; content:"C:|5C|Users|5C|"; metadata:ruleset community; reference:url,app.any.run/tasks/16de6eff-d745-43d0-b463-a542e27ed4e5; classtype:trojan-activity; sid:8000223; rev:1;)

Thanks.
YM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180730/d1974912/attachment-0001.html>


More information about the Snort-sigs mailing list