<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>Hello,</p>
<p><br>
</p>
<p>The below signatures are derived from the article in the reference. There is a hardcoded User-Agent with HTTP "parameters". It is not clear whether these parameters are HTTP URL or Body parameters. There is also a mention of a specific domain. The rules
 have been sanity checked only. No pcaps available.</p>
<p><br>
</p>
<p></p>
<div><span style="font-size: 9pt; font-family: Consolas, monospace;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Disttrack variant outbound connection"; flow:to_server,established; content:"commandid="; nocase; fast_pattern:only;
 http_uri; content:"User-Agent|3A 20|Mozilla/5.0 (Windows NT 6.3|3B| Trident/7.0|3B| rv:11) like Gecko|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity;
 sid:1000825; rev:1;)</span></div>
<div><span style="font-size: 9pt; font-family: Consolas, monospace;"><br>
</span></div>
<div><span style="font-size: 9pt; font-family: Consolas, monospace;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Disttrack variant outbound connection"; flow:to_server,established; content:"commandid="; nocase; fast_pattern:only;
 http_client_body; content:"User-Agent|3A 20|Mozilla/5.0 (Windows NT 6.3|3B| Trident/7.0|3B| rv:11) like Gecko|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack;
 classtype:trojan-activity; sid:1000826; rev:1;)</span></div>
<div><span style="font-size: 9pt; font-family: Consolas, monospace;"><br>
</span></div>
<div><span style="font-size: 9pt; font-family: Consolas, monospace;">alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain update.winappupdater.com - Win.Malware.Disttrack"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|update|0D|winappupdater|03|com|00|";
 fast_pattern:only; metadata:ruleset community, service dns; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:1000827; rev:1;)</span></div>
<br>
<p></p>
<p>Thank you.</p>
<p>YM</p>
</div>
</body>
</html>