<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>Hello,</p>
<p><br>
</p>
<p>Hope all is well. The below rules were derived from the reference report. No pcaps are available, so the rules are only sanity checked.</p>
<p><br>
</p>
<p></p>
<div><span style="font-size: 10pt; font-family: Consolas, monospace;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection"; flow:to_server,established; content:"GET"; http_method;
 content:"/ct_if/ctpublic/Check_Exist.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:1000870; rev:1;)</span></div>
<div><br>
</div>
<div><span style="font-size: 10pt; font-family: Consolas, monospace;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"username=MD5Sum";
 fast_pattern:only; http_client_body; content:"&password=MD5Sum"; http_client_body; content:"&button=Login"; http_client_body; content:"Referer|3A 20|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:" Firefox/23.0|0D 0A|"; http_header;
 metadata:ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:1000871; rev:1;)</span></div>
<div><br>
</div>
<div><span style="font-size: 10pt; font-family: Consolas, monospace;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/insert/index?id=";
 fast_pattern:only; http_uri; content:"&hst="; http_uri; content:"&ttype="; http_uri; content:"&state="; http_uri; content:"Cookie|3A 20|"; http_header; content:"Conneciton|3A 20|close|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf;
 classtype:trojan-activity; sid:1000872; rev:1;)</span></div>
<div><br>
</div>
<div>Thank you.</div>
<div>YM</div>
<br>
<p></p>
</div>
</body>
</html>