[Snort-sigs] Snort-sigs Digest, Vol 12, Issue 50

Joel Esler (jesler) jesler at cisco.com
Mon Jun 11 09:21:17 EDT 2018


Also, obviously, he has been removed from this list, and all other Snort lists and banned for life.

On Jun 8, 2018, at 11:49 AM, 6vector9telemetry--- via Snort-sigs <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>> wrote:

Obviously, his Trojan was discovered and blocked, now he is upset.


Confidentiality Notice:
The information contained in this communication, including attachments, is privileged and confidential. It is intended only for the exclusive use of the addressee. If the reader is not the intended recipient, or the employee, or the agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us by return email or telephone immediately. Thank you.


On Jun 8, 2018, at 11:03 AM, Mkultra via Snort-sigs <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>> wrote:

rastus caint afford a "real" ids


Sent with ProtonMail<https://protonmail.com/> Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On June 8, 2018 9:21 AM, Ashlee Benge <abenge at sourcefire.com<mailto:abenge at sourcefire.com>> wrote:

Yaser,

      We have reviewed the rules you submitted for CVE-2017-8570. Unfortunately, due to the obfuscation method used in the samples and a lack of static content matches, performance concerns prevent us from adding these rules to the ruleset.

On Tue, May 29, 2018 at 1:24 PM, <snort-sigs-request at lists.snort.org<mailto:snort-sigs-request at lists.snort.org>> wrote:
Send Snort-sigs mailing list submissions to
        snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.snort.org/mailman/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
        snort-sigs-request at lists.snort.org<mailto:snort-sigs-request at lists.snort.org>

You can reach the person managing the list at
        snort-sigs-owner at lists.snort.org<mailto:snort-sigs-owner at lists.snort.org>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Win.Trojan.Dropper (O C)
   2. CVE-2017-8570 (O C)


----------------------------------------------------------------------

Message: 1
Date: Tue, 29 May 2018 17:23:40 +0000
From: O C <snort at outlook.com<mailto:snort at outlook.com>>
To: snort-sigs <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>>
Subject: [Snort-sigs] Win.Trojan.Dropper
Message-ID:
        <BN6PR1701MB18437AD38F6A61C998EECA4AA86D0 at BN6PR1701MB1843.namprd17.prod.outlook.com<mailto:BN6PR1701MB18437AD38F6A61C998EECA4AA86D0 at BN6PR1701MB1843.namprd17.prod.outlook.com>>

Content-Type: text/plain; charset="iso-8859-1"

Hi,

This downloader uses a rather unique User-Agent. Pcap is available for this one.

# --------------------
# Date: 2018-05-28
# Title: Win.Trojan.Dropper
# Tests: pcap
# Reference: https://www.virustotal.com/#/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/detection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious user-agent - Win.Trojan.Dropper"; flow:to_server,established; content:"User-Agent: HTTPREAD|0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/detection<http://www.virustotal.com/#/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/detection>; classtype:trojan-activity; sid:8000074; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180529/d40e7252/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 29 May 2018 17:24:12 +0000
From: O C <snort at outlook.com<mailto:snort at outlook.com>>
To: snort-sigs <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>>
Subject: [Snort-sigs] CVE-2017-8570
Message-ID:
        <BN6PR1701MB184314ADF9539049956466D5A86D0 at BN6PR1701MB1843.namprd17.prod.outlook.com<mailto:BN6PR1701MB184314ADF9539049956466D5A86D0 at BN6PR1701MB1843.namprd17.prod.outlook.com>>

Content-Type: text/plain; charset="iso-8859-1"

Hi,

This one is similar to the existing signatures 45415 and 45416. The only difference is that is uses the StdOleLink Moniker as opposed to the Composite Moiker. There are 2 versions for each rule. The first one is without using PCRE. The samples I worked with had the moniker slightly manipulated, and PCRE was a perfect fit. Pcaps available for these.

Note that the sample documents contain multiple exploits and not just one.

# --------------------
# Date: 2018-05-06
# Title: CVE-2017-8570 StdOleLink
# Reference: https://www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection, https://www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection
# Tests: pcap

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - NON-PCRE"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; content:"C6AFABEC197FD211978E0000F8757E2A"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570<http://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570>; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection<http://www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection>; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection<http://www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection>; classtype:attempted-user; sid:8000070; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - PCRE"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; pcre:"/[ABCDEF0-9\x20\x0a\x0d0a]{32}/"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570<http://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570>; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection<http://www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection>; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection<http://www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection>; classtype:attempted-user; sid:8000071; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - NON-PCRE"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; content:"C6AFABEC197FD211978E0000F8757E2A"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570<http://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570>; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection<http://www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection>; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection<http://www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection>; classtype:attempted-user; sid:8000072; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - PCRE"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; pcre:"/[ABCDEF0-9\x20\x0a\x0d0a]{32}/"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570<http://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570>; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection<http://www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection>; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection<http://www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection>; classtype:attempted-user; sid:8000073; rev:1;)

Thanks.
YM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180529/aafa85a1/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs
http://www.snort.org<http://www.snort.org/>

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!


------------------------------

End of Snort-sigs Digest, Vol 12, Issue 50
******************************************



--
Ashlee Benge
Detection Response Team
Talos Group

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org<http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180611/3194c3d1/attachment-0001.html>


More information about the Snort-sigs mailing list