[Snort-sigs] Snort-sigs Digest, Vol 12, Issue 50

6vector9telemetry at gmail.com 6vector9telemetry at gmail.com
Fri Jun 8 11:49:56 EDT 2018


Obviously, his Trojan was discovered and blocked, now he is upset.


Confidentiality Notice:
The information contained in this communication, including attachments, is privileged and confidential. It is intended only for the exclusive use of the addressee. If the reader is not the intended recipient, or the employee, or the agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us by return email or telephone immediately. Thank you.
 

> On Jun 8, 2018, at 11:03 AM, Mkultra via Snort-sigs <snort-sigs at lists.snort.org> wrote:
> 
> rastus caint afford a "real" ids
> 
> 
> Sent with ProtonMail Secure Email.
> 
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>> On June 8, 2018 9:21 AM, Ashlee Benge <abenge at sourcefire.com> wrote:
>> 
>> Yaser,
>> 
>>       We have reviewed the rules you submitted for CVE-2017-8570. Unfortunately, due to the obfuscation method used in the samples and a lack of static content matches, performance concerns prevent us from adding these rules to the ruleset. 
>> 
>>> On Tue, May 29, 2018 at 1:24 PM, <snort-sigs-request at lists.snort.org> wrote:
>>> Send Snort-sigs mailing list submissions to
>>>         snort-sigs at lists.snort.org
>>> 
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>         https://lists.snort.org/mailman/listinfo/snort-sigs
>>> or, via email, send a message with subject or body 'help' to
>>>         snort-sigs-request at lists.snort.org
>>> 
>>> You can reach the person managing the list at
>>>         snort-sigs-owner at lists.snort.org
>>> 
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Snort-sigs digest..."
>>> 
>>> 
>>> Today's Topics:
>>> 
>>>    1. Win.Trojan.Dropper (O C)
>>>    2. CVE-2017-8570 (O C)
>>> 
>>> 
>>> ----------------------------------------------------------------------
>>> 
>>> Message: 1
>>> Date: Tue, 29 May 2018 17:23:40 +0000
>>> From: O C <snort at outlook.com>
>>> To: snort-sigs <snort-sigs at lists.snort.org>
>>> Subject: [Snort-sigs] Win.Trojan.Dropper
>>> Message-ID:
>>>         <BN6PR1701MB18437AD38F6A61C998EECA4AA86D0 at BN6PR1701MB1843.namprd17.prod.outlook.com>
>>> 
>>> Content-Type: text/plain; charset="iso-8859-1"
>>> 
>>> Hi,
>>> 
>>> This downloader uses a rather unique User-Agent. Pcap is available for this one.
>>> 
>>> # --------------------
>>> # Date: 2018-05-28
>>> # Title: Win.Trojan.Dropper
>>> # Tests: pcap
>>> # Reference: https://www.virustotal.com/#/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/detection
>>> 
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious user-agent - Win.Trojan.Dropper"; flow:to_server,established; content:"User-Agent: HTTPREAD|0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/detection; classtype:trojan-activity; sid:8000074; rev:1;)
>>> 
>>> Thanks.
>>> YM
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180529/d40e7252/attachment-0001.html>
>>> 
>>> ------------------------------
>>> 
>>> Message: 2
>>> Date: Tue, 29 May 2018 17:24:12 +0000
>>> From: O C <snort at outlook.com>
>>> To: snort-sigs <snort-sigs at lists.snort.org>
>>> Subject: [Snort-sigs] CVE-2017-8570
>>> Message-ID:
>>>         <BN6PR1701MB184314ADF9539049956466D5A86D0 at BN6PR1701MB1843.namprd17.prod.outlook.com>
>>> 
>>> Content-Type: text/plain; charset="iso-8859-1"
>>> 
>>> Hi,
>>> 
>>> This one is similar to the existing signatures 45415 and 45416. The only difference is that is uses the StdOleLink Moniker as opposed to the Composite Moiker. There are 2 versions for each rule. The first one is without using PCRE. The samples I worked with had the moniker slightly manipulated, and PCRE was a perfect fit. Pcaps available for these.
>>> 
>>> Note that the sample documents contain multiple exploits and not just one.
>>> 
>>> # --------------------
>>> # Date: 2018-05-06
>>> # Title: CVE-2017-8570 StdOleLink
>>> # Reference: https://www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection, https://www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection
>>> # Tests: pcap
>>> 
>>> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - NON-PCRE"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; content:"C6AFABEC197FD211978E0000F8757E2A"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection; classtype:attempted-user; sid:8000070; rev:1;)
>>> 
>>> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - PCRE"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; pcre:"/[ABCDEF0-9\x20\x0a\x0d0a]{32}/"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection; classtype:attempted-user; sid:8000071; rev:1;)
>>> 
>>> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - NON-PCRE"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; content:"C6AFABEC197FD211978E0000F8757E2A"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection; classtype:attempted-user; sid:8000072; rev:1;)
>>> 
>>> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - PCRE"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; pcre:"/[ABCDEF0-9\x20\x0a\x0d0a]{32}/"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection; classtype:attempted-user; sid:8000073; rev:1;)
>>> 
>>> Thanks.
>>> YM
>>> 
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180529/aafa85a1/attachment.html>
>>> 
>>> ------------------------------
>>> 
>>> Subject: Digest Footer
>>> 
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.snort.org
>>> https://lists.snort.org/mailman/listinfo/snort-sigs
>>> http://www.snort.org
>>> 
>>> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>>> 
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>> 
>>> 
>>> ------------------------------
>>> 
>>> End of Snort-sigs Digest, Vol 12, Issue 50
>>> ******************************************
>> 
>> 
>> 
>> 
>> -- 
>> Ashlee Benge
>> Detection Response Team
>> Talos Group
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
> 
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180608/6eeee48c/attachment-0001.html>


More information about the Snort-sigs mailing list