<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>Hello,</p>
<p><br>
</p>
<p>The below signatures were derived from the article in the reference. Since there are no pcaps available, the below assumptions/thoughts were made.</p>
<p><br>
</p>
<p>1. For the first rule, it is assumed that the custom User-Agent ends with \x0d\x0a. It also may be a better idea to have the pcre as "[A-Z0-9a-z]{32}", but it written to avoid ambi</p>
<p>2. To avoid pcre, individual signatures were created per HTTP response. Perhaps it is better to combine all of them with pcre.</p>
<p>3. The HTTP response body does not end/contain any line terminators.</p>
<p><br>
</p>
<p></p>
<div><span style="font-size: 8pt; font-family: Consolas, monospace;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALAWARE-CNC Win.Trojan.KopiLuwak JS outbound request"; flow:to_server,established; content:"POST"; http_method; content:".php";
 http_uri; content:"Mozilla/5.0 (Windows NT 6.1|3B| Win64|3B| x64)|3B| "; fast_pattern:only; http_header; pcre:"/[0-9]{16}[A-Z0-9a-z]{16}\x0d\x0a$/mR"; flowbits:set,kopiluwak.js.out; flowbits:noalert; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/;
 classtype:trojan-activity; sid:1000828; rev:1;)</span></div>
<div><span style="font-size: 8pt; font-family: Consolas, monospace;"><br>
</span></div>
<div><span style="font-size: 8pt; font-family: Consolas, monospace;">alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A
 20|4|0D 0A|"; http_header; file_data; content:"good"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000829;
 rev:1;)</span></div>
<div><span style="font-size: 8pt; font-family: Consolas, monospace;"><br>
</span></div>
<div><span style="font-size: 8pt; font-family: Consolas, monospace;">alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A
 20|4|0D 0A|"; http_header; file_data; content:"exit"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000830;
 rev:1;)</span></div>
<div><span style="font-size: 8pt; font-family: Consolas, monospace;"><br>
</span></div>
<div><span style="font-size: 8pt; font-family: Consolas, monospace;">alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A
 20|4|0D 0A|"; http_header; file_data; content:"work"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000831;
 rev:1;)</span></div>
<div><span style="font-size: 8pt; font-family: Consolas, monospace;"><br>
</span></div>
<div><span style="font-size: 8pt; font-family: Consolas, monospace;">alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A
 20|4|0D 0A|"; http_header; file_data; content:"fail"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000832;
 rev:1;)</span></div>
<br>
<p></p>
<p>Thanks.</p>
<p>YM</p>
</div>
</body>
</html>