[Snort-sigs] Multiple signatures 007

Marcos Rodriguez mrodriguez at sourcefire.com
Mon Jul 30 15:01:43 EDT 2018


On Mon, Jul 30, 2018 at 2:09 PM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hi,
>
> An existing sid (45907) from the ruleset may require updates. Please see
> the notes associated with sid 8000217 below. Pcaps available for most the
> rules below.
>
> # --------------------
> # Date: 2018-07-29
> # Title: CVE-2018-9919, Tpshop 2.0.8 Arbitrary File Download / SSRF
> # Reference: https://packetstormsecurity.com/files/147434/Tpshop-2.0.8-
> Arbitrary-File-Download-SSRF.html
> # Tests: syntax only
>
> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tpshop
> arbitrary file download attempt"; flow:to_server,established; urilen:>100;
> content:"/LinkTagTeet.php?"; fast_pattern:only; http_uri;
> content:"down_url="; http_uri; reference:cve,2018-9919; reference:url,
> packetstormsecurity.com/files/147434/Tpshop-2.0.8-Arbitrary-File-Download-
> SSRF.html; metadata:ruleset community, service http;
> classtype:attempted-admin; sid:8000215; rev:1;)
>
> # --------------------
> # Date: 2018-07-30
> # Title: A mining multitool - Symbiosis of PowerShell and EternalBlue for
> cryptocurrency mining
> # Reference:
> #     - https://securelist.com/a-mining-multitool/86950/
> # Tests: pcap
> # Confidence: low
> # Notes:
> #     1. This relates to the decimal/base64 encoded binary downloads with
> the same HTTP
> #        response headers as reported in "Multiple signatures 006" sid
> 8000209-8000210.
> #        This was a coincedence and the reference was observed on
> 2018-07-30.
> #     2. Not friendly with HTTP buffers/content matches.
> #     2. SID 1:33872, MALWARE-CNC Win.Worm.Urahu is still relevant.
> #     3. This maybe also referred to as Skillis, Rozena, Urahu, Nitol,
> PowerGhost, and similar to WannaMine.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC
> Win.Trojan.PowerGhost outbound connection"; flow:to_server,established;
> content:"User-Agent: Mozilla/4.0+|0D 0A|"; fast_pattern:only;
> content:!"Connection"; metadata:ruleset community, service http;
> reference:url,securelist.com/a-mining-multitool/86950/;
> classtype:trojan-activity; sid:8000216; rev:1;)
>
> # --------------------
> # Date: 2018-07-30
> # Title: New Threat Actor Group DarkHydrus Targets Middle East Government
> # Reference:
> #     - https://researchcenter.paloaltonetworks.com/2018/07/
> unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
> # Tests: pcap
> # Confidence: low
> # Notes:
> #     1. Existing sid 45907 requires modifications by changing the
> direction of the rule as follows:
> #        alert udp $HOME_NET any -> $EXTERNAL_NET 53. This change is not
> posted below.
> #     2. SID 8000217 has pcre to help eliminate FPs. Maybe add
> detection_filter?
>
> alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"MALWARE-CNC excessive
> DNS large TXT response records with zero-based TTL"; flow:to_client;
> dsize:>250; content:"|00 10 00 01|"; content:"|00 00 00 00|"; distance:0;
> fast_pattern; byte_test:1,>,190,2,relative; pcre:"/[\x41-\x5a\x61-\x7a]{190,255}/";
> metadata:ruleset community, service dns; classtype:trojan-activity;
> sid:8000217; rev:1;)
>
> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC inbound
> null SSL certificate"; flow:to_client,established; content:"|16 03 01|";
> content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|30 07
> 06 03 55 04 06 13 00 31 09|"; content:"|30 07 06 03 55 04 08 13 00 31 09|";
> distance:0; content:"|30 07 06 03 55 04 07 13 00 31 09|"; distance:0;
> content:"|30 07 06 03 55 04 0A 13 00 31 09|"; distance:0; content:"|30 07
> 06 03 55 04 0B 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 03 13
> 00|"; distance:0; metadata:ruleset community, service ssl;
> classtype:trojan-activity; sid:8000218; rev:1;)
>
> # --------------------
> # Date: 2018-07-30
> # Title: PUA Adware Tweakbit
> # Reference: Research
> #     - https://www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772a
> b452e58d0bb9f98ebda9153a2f0cc7f218/detection
> # Tests: pcap
> # Confidence: medium
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Tweakbit outbound connection"; flow:to_server,established; urilen:8;
> content:"/collect"; fast_pattern:only; http_uri; content:"v=";
> http_client_body; content:"&tid="; http_client_body; content:"&cid=";
> http_client_body; content:"&ea="; http_client_body; content:"&el=";
> http_client_body; content:!"User-Agent"; http_header; metadata:ruleset
> community, service http; reference:url,www.virustotal.com/#/file/
> ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection;
> classtype:trojan-activity; sid:8000219; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Tweakbit outbound connection"; flow:to_server,established;
> content:"/tools/offers/"; fast_pattern:only; http_uri; content:"data=|7B|";
> http_client_body; content:"|22|protocol|22|"; http_client_body;
> content:"|22|product|22|"; http_client_body; content:"|22|oslanguage|22|";
> http_client_body; content:!"User-Agent"; http_header; metadata:ruleset
> community, service http; reference:url,www.virustotal.com/#/file/
> ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection;
> classtype:trojan-activity; sid:8000220; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Tweakbit outbound connection"; flow:to_server,established; content:"/tools/uninstalloffers/";
> fast_pattern:only; http_uri; content:"request=|7B|"; http_client_body;
> content:"|22|protocol|22|"; http_client_body; content:"|22|product|22|";
> http_client_body; content:!"User-Agent"; http_header; metadata:ruleset
> community, service http; reference:url,www.virustotal.com/#/file/
> ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection;
> classtype:trojan-activity; sid:8000221; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Tweakbit outbound connection"; flow:to_server,established;
> content:"/driverservice.asmx"; fast_pattern:only; http_uri;
> content:"SOAPAction: "; http_header; content:"<operatingSystemMajorVersion>";
> http_client_body; metadata:ruleset community, service http; reference:url,
> www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772a
> b452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity;
> sid:8000222; rev:1;)
>
> # --------------------
> # Date: 2018-07-30
> # Title: PUA Adware AdNaver
> # Reference: Research
> #     - https://www.virustotal.com/#/file/9cab0520f4d7c3ecbc310e55282861
> ca20d53959eaf6e93d8d6aa717347819da/detection
> #     - https://app.any.run/tasks/16de6eff-d745-43d0-b463-a542e27ed4e5
> # Tests: pcap
> # Confidence: low
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 15000 (msg:"PUA-ADWARE AdNaver
> NAT service successful installation"; flow:to_server;
> content:"INSTALL|09|"; content:"|09 09|"; distance:36; content:"|5C|NAT
> Service|5C|"; content:"C:|5C|Users|5C|"; metadata:ruleset community;
> reference:url,app.any.run/tasks/16de6eff-d745-43d0-b463-a542e27ed4e5;
> classtype:trojan-activity; sid:8000223; rev:1;)
>
> Thanks.
> YM
>

Hi Yaser,

As always, thanks for these submissions.  We'll get these into our testing
process and get back to you as soon as possible.  We'd appreciate any pcaps
you'd be willing to share.  Thanks again!

-- 
Marcos Rodriguez
Cisco Talos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180730/4ff08038/attachment-0001.html>


More information about the Snort-sigs mailing list