[Snort-sigs] Win.Trojan.UDPOS

Phillip Lee phillile at sourcefire.com
Thu Mar 22 10:07:19 EDT 2018


Dear Yaser,

This rule has been reviewed and added to the community ruleset (SID: 45963-49564, 49566-45968).  Several modifications were made, including removing all pcre matches in the DNS rules proposed (unnecessary, better performance).

Submitted Rules:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check"; flow:to_server,established; content:"/index.php?udpool="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45963; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|bin"; within:4; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45964; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|ping"; within:5; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45966; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|trp"; within:4; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45967; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|note"; within:5; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45968; rev:1;)

Thank you for your contribution.  

Sincerely,
Phil Lee
Cisco Talos

> On Feb 14, 2018, at 12:12 PM, Phillip Lee <phillile at sourcefire.com> wrote:
> 
> Thanks!
> 
> -Phil
> 
>> On Feb 14, 2018, at 11:44 AM, Y M <snort at outlook.com <mailto:snort at outlook.com>> wrote:
>> 
>> Hi Phillip,
>> 
>> The pcap is attached. The archive password is infected
>> 
>> Thanks.
>> Yaser
>> From: Phillip Lee <phillile at sourcefire.com <mailto:phillile at sourcefire.com>>
>> Sent: Wednesday, February 14, 2018 7:18:54 PM
>> To: Y M
>> Cc: snort-sigs at lists.snort.org <mailto:snort-sigs at lists.snort.org>
>> Subject: Re: [Snort-sigs] Win.Trojan.UDPOS
>>  
>> Yaser,
>> 
>> Thanks for your submission. We will review the rules and get back to you when they're finished. 
>> 
>> Can you send along the pcaps that you have? 
>> 
>> Regards,
>> Phil Lee
>> Cisco Talos
>> 
>>> On Feb 13, 2018, at 12:49 PM, Y M via Snort-sigs <snort-sigs at lists.snort.org <mailto:snort-sigs at lists.snort.org>> wrote:
>>> 
>>> Hi,
>>> 
>>> The below signatures are of the UDPOS point-of-sale malware. Pcap is available for this one. Opted for a rule per message as opposed to bundling message types into two rules.
>>> 
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UDPOS external IP address check attempt"; flow:to_server,established; content:"User-Agent|3A 20|Browser|0D 0A|"; fast_pattern:only; http_header; content:"/index.php?"; http_uri; content:"udpool="; distance:0; http_uri; metadata:ruleset community, service http; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000025; rev:1;)
>>> 
>>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|bin"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x03bin(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000026; rev:1;)
>>> 
>>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|trp"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x03trp(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000027; rev:1;)
>>> 
>>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|info"; offset:16; byte_test:1,<,40,0,relative; byte_jump:1,0,relative; byte_test:1,<,40,0,relative; byte_jump:1,0,relative; byte_test:1,<40,35,0,relative; byte_jump:1,0,relative; byte_test:1,<=,40,0,relative; pcre:"/[a-f0-9]{15}\x04info(([\x10-\x28][a-f0-9]{10,40}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000028; rev:1;)
>>> 
>>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|ping"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x04ping(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000029; rev:1;)
>>> 
>>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|note"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x04note(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000030; rev:1;)
>>> 
>>> Thanks.
>>> YM
>>> 
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.snort.org <mailto:Snort-sigs at lists.snort.org>
>>> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
>>> 
>>> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
>>> 
>>> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>>> 
>>> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
>> 
>> <udpos_cnc.zip>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180322/abe9b5ef/attachment-0001.html>


More information about the Snort-sigs mailing list