Snort mailing list archives
Re: Aumlib malware
From: Ned Moran <ned () mysterymachine info>
Date: Mon, 12 Aug 2013 12:41:26 -0400
the sample was only available from the url listed in the blog for a short time. your best bet would be to get it from VT, or some other respository, and stage the download sequence in your own lab. or just run the sample directly ... -ned On 8/12/13 12:39 PM, Y M wrote:
I meant to download it locally from the url to a test box and capture the traffic. YM Date: Mon, 12 Aug 2013 11:40:00 -0400 From: ned () mysterymachine info To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Aumlib malware sample in question (832f5e01be536da71d5b3f7e41938cfb) can be found on VT. https://www.virustotal.com/en/file/c77afbe515536773777afebf500088e5b61cf23a6f527e6e39c0895e7be223c7/analysis/ -Ned On 8/12/13 11:16 AM, Y M wrote: Tried to get a sample of the executable from the urls mentioned in the reference but wasn't able to. Need more testing: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Aumlib GET request"; flow:to_server,established; content:"GET"; http_method; content:"/buy-sell/"; http_uri; content:"search.asp"; http_uri; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url, fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:100023; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Aumlib POST request"; flow:to_server,established; content:"POST"; http_method; content:"/bbs/"; http_uri; content:"search.asp"; nocase; http_uri; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url, fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:100022; rev:1;) Thanks.YM ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Aumlib malware Y M (Aug 12)
- Re: Aumlib malware Ned Moran (Aug 12)
- Re: Aumlib malware Nick Randolph (Aug 12)
- Re: Aumlib malware Joel Esler (Aug 12)
- Re: Aumlib malware Joel Esler (Aug 12)
- Re: Aumlib malware Nick Randolph (Aug 12)
- Re: Aumlib malware Nick Randolph (Aug 12)
- Re: Aumlib malware Y M (Aug 12)
- Re: Aumlib malware Ned Moran (Aug 12)
- Re: Aumlib malware Joel Esler (Aug 13)
- Re: Aumlib malware Y M (Aug 13)
- Re: Aumlib malware Ned Moran (Aug 12)