Snort mailing list archives
Re: Aumlib malware
From: Ned Moran <ned () mysterymachine info>
Date: Mon, 12 Aug 2013 12:41:26 -0400
the sample was only available from the url listed in the blog for a short time. your best bet would be to get it from VT, or some other respository, and stage the download sequence in your own lab. or just run the sample directly ... -ned On 8/12/13 12:39 PM, Y M wrote:
I meant to download it locally from the url to a test box and capture the traffic.
YM
Date: Mon, 12 Aug 2013 11:40:00 -0400
From: ned () mysterymachine info
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Aumlib malware
sample in question
(832f5e01be536da71d5b3f7e41938cfb) can be found on VT.
https://www.virustotal.com/en/file/c77afbe515536773777afebf500088e5b61cf23a6f527e6e39c0895e7be223c7/analysis/
-Ned
On 8/12/13 11:16 AM, Y M wrote:
Tried to get a sample of the executable from the urls mentioned in the reference but wasn't able to. Need more
testing:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Aumlib GET request";
flow:to_server,established; content:"GET"; http_method; content:"/buy-sell/"; http_uri; content:"search.asp";
http_uri; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,
fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html;
classtype:trojan-activity; sid:100023; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Aumlib POST request";
flow:to_server,established; content:"POST"; http_method; content:"/bbs/"; http_uri; content:"search.asp"; nocase;
http_uri; metadata: impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,
fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html;
classtype:trojan-activity; sid:100022; rev:1;)
Thanks.YM
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Aumlib malware Y M (Aug 12)
- Re: Aumlib malware Ned Moran (Aug 12)
- Re: Aumlib malware Nick Randolph (Aug 12)
- Re: Aumlib malware Joel Esler (Aug 12)
- Re: Aumlib malware Joel Esler (Aug 12)
- Re: Aumlib malware Nick Randolph (Aug 12)
- Re: Aumlib malware Nick Randolph (Aug 12)
- Re: Aumlib malware Y M (Aug 12)
- Re: Aumlib malware Ned Moran (Aug 12)
- Re: Aumlib malware Joel Esler (Aug 13)
- Re: Aumlib malware Y M (Aug 13)
- Re: Aumlib malware Ned Moran (Aug 12)