Obviously, his Trojan was discovered and blocked, now he is upset.


Confidentiality Notice:

The information contained in this communication, including attachments, is privileged and confidential. It is intended only for the exclusive use of the addressee. If the reader is not the intended recipient, or the employee, or the agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us by return email or telephone immediately. Thank you.

 


On Jun 8, 2018, at 11:03 AM, Mkultra via Snort-sigs <snort-sigs@lists.snort.org> wrote:

rastus caint afford a "real" ids


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On June 8, 2018 9:21 AM, Ashlee Benge <abenge@sourcefire.com> wrote:

Yaser,

      We have reviewed the rules you submitted for CVE-2017-8570. Unfortunately, due to the obfuscation method used in the samples and a lack of static content matches, performance concerns prevent us from adding these rules to the ruleset. 

On Tue, May 29, 2018 at 1:24 PM, <snort-sigs-request@lists.snort.org> wrote:
Send Snort-sigs mailing list submissions to

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to

You can reach the person managing the list at

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Win.Trojan.Dropper (O C)
   2. CVE-2017-8570 (O C)


----------------------------------------------------------------------

Message: 1
Date: Tue, 29 May 2018 17:23:40 +0000
From: O C <snort@outlook.com>
To: snort-sigs <snort-sigs@lists.snort.org>
Subject: [Snort-sigs] Win.Trojan.Dropper
Message-ID:

Content-Type: text/plain; charset="iso-8859-1"

Hi,

This downloader uses a rather unique User-Agent. Pcap is available for this one.

# --------------------
# Date: 2018-05-28
# Title: Win.Trojan.Dropper
# Tests: pcap

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious user-agent - Win.Trojan.Dropper"; flow:to_server,established; content:"User-Agent: HTTPREAD|0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/detection; classtype:trojan-activity; sid:8000074; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Tue, 29 May 2018 17:24:12 +0000
From: O C <snort@outlook.com>
To: snort-sigs <snort-sigs@lists.snort.org>
Subject: [Snort-sigs] CVE-2017-8570
Message-ID:

Content-Type: text/plain; charset="iso-8859-1"

Hi,

This one is similar to the existing signatures 45415 and 45416. The only difference is that is uses the StdOleLink Moniker as opposed to the Composite Moiker. There are 2 versions for each rule. The first one is without using PCRE. The samples I worked with had the moniker slightly manipulated, and PCRE was a perfect fit. Pcaps available for these.

Note that the sample documents contain multiple exploits and not just one.

# --------------------
# Date: 2018-05-06
# Title: CVE-2017-8570 StdOleLink
# Tests: pcap

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - NON-PCRE"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; content:"C6AFABEC197FD211978E0000F8757E2A"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection; classtype:attempted-user; sid:8000070; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - PCRE"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; pcre:"/[ABCDEF0-9\x20\x0a\x0d0a]{32}/"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection; classtype:attempted-user; sid:8000071; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - NON-PCRE"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; content:"C6AFABEC197FD211978E0000F8757E2A"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection; classtype:attempted-user; sid:8000072; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - PCRE"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; pcre:"/[ABCDEF0-9\x20\x0a\x0d0a]{32}/"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection; classtype:attempted-user; sid:8000073; rev:1;)

Thanks.
YM

-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Subject: Digest Footer

_______________________________________________
Snort-sigs mailing list


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------

End of Snort-sigs Digest, Vol 12, Issue 50
******************************************



--
Ashlee Benge
Detection Response Team
Talos Group

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!