[Snort-sigs] Win.Backdoor.SocketPlayer

Y M snort at outlook.com
Mon Jun 11 14:50:55 EDT 2018


Hi,

Pcaps available for these. Note that the C&C server ports need to be added to the stream5 and http_inspect preprocessors.

# --------------------
# Date: 2018-06-06
# Title: Win.Backdoor.SocketPlayer
# Tests: pcap
# Reference:
#     - https://file.gdatasoftware.com/web/en/documents/whitepaper/G_DATA_SocketPlayer_Analysis.pdf
#     - https://www.virustotal.com/#/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2e056a7c84e9547fe275889/detection
#     - https://www.virustotal.com/#/file/ace5a17702239cebf4ebc9ae034f3b2878e471978b895d3f461ef38fce7b1a40/detection
# Note: Requires adding ports 3000 and 7218 in stream5 and http_inspect ports
# Confidence: medium
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.SocketPlayer outbound connection"; flow:to_server,established; content:"/socket.io/"; fast_pattern:only; http_uri; content:"?EIO="; http_uri; content:"&transport="; http_uri; content:!"User-Agent"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2e056a7c84e9547fe275889/detection; reference:url,www.virustotal.com/#/file/ace5a17702239cebf4ebc9ae034f3b2878e471978b895d3f461ef38fce7b1a40/detection; classtype:trojan-activity; sid:8000104; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180611/e1b7604b/attachment.html>


More information about the Snort-sigs mailing list