Snort mailing list archives
Namihno Trojan
From: Paul Bottomley <Paul.Bottomley () betfair com>
Date: Mon, 20 May 2013 14:17:27 +0000
Sorry don't have a reference for this (Intel was received through our TI provider). "The following URI is hard-coded into the sample and used to construct the HTTP C2 request: /windows/update/search?hl=%s&q=%s&meta=%s&id=%s URI parameters within the HTTP request contain the Base64-encoded hostname and IP address of the victim's computer." I've assumed all occurrences of %s are Base64 but I can't get the rule to fire when a '+' occurs within the character class (using \x2b)- not sure why? I've also probably escaped some characters that don't need escaping. Anyway, here is the rule I've created. Feel free to modify if you like. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[C2] Namihno Trojan CnC Request"; flow:established,to_server; content:"/windows/update/search?hl="; fast_pattern:only; http_uri; pcre:"/\/windows\/update\/search\?hl\=[a-z0-9\x2b\x2f\x3d]+\&q\=[a-z0-9\x2b\x2f\x3d]+\&meta\=[a-z0-9\x2b\x2f\x3d]+\&id\=[a-z0-9\x2b\x2f\x3d]+$/Ui"; classtype:trojan-activity; sid:xxxxx; rev:1;) Thanks ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Namihno Trojan Paul Bottomley (May 20)
- Re: Namihno Trojan Joel Esler (May 20)
- Message not available
- Re: Namihno Trojan Joel Esler (May 20)
- Message not available
- Re: Namihno Trojan Joel Esler (May 20)