Snort mailing list archives
Re: Zbot variant sigs
From: Y M <snort () outlook com>
Date: Thu, 10 Oct 2013 08:43:56 +0000
An update to the first rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Zbot variant malware potential download from phishing attack"; content:"/image/swift_copy.zip"; fast_pattern:only; http_uri; file_data; content:"swift_copy.exe"; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/27e6f24e8ddfd5137a08c527c0e9b8b47d81303cbaa4e4fee4586699a31640f4/analysis/1381340916/; classtype:trojan-activity; sid:100060; rev:1;) From: snort () outlook com To: snort-sigs () lists sourceforge net Subject: Zbot variant sigs Date: Wed, 9 Oct 2013 18:53:35 +0000 Received this one as a phishing email with an .html attachment. It downloads a zip/executable file as soon as it is opened. Results on VT are mixed between Zbot, Autoit and Generic. pcaps attached. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Zbot variant malware potential download from phishing"; content:"/image/swift_copy.zip"; fast_pattern:only; http_uri; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/27e6f24e8ddfd5137a08c527c0e9b8b47d81303cbaa4e4fee4586699a31640f4/analysis/1381340916/; classtype:trojan-activity; sid:100060; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt - config.bin"; content:"/images/server/config.bin"; fast_pattern:only; http_uri; content:"Accept|3A| |2A|/|2A 0D 0A|"; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/02a565134bb46d1644d24f978df7a98ba2b99aa63a22d5287bab71486e307dac/analysis/1381340939/; classtype:trojan-activity; sid:100061; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt - post"; content:"POST"; http_method; content:"/images/server/gate.php"; http_uri; fast_pattern:only; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/02a565134bb46d1644d24f978df7a98ba2b99aa63a22d5287bab71486e307dac/analysis/1381340939/; classtype:trojan-activity; sid:100062; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain kitkatzuniga.com - Win.Trojan.Zbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|kitkatzuniga|03|com|00|"; fast_pattern:only; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/en/file/02a565134bb46d1644d24f978df7a98ba2b99aa63a22d5287bab71486e307dac/analysis/1381340939/; classtype:trojan-activity; sid:100063; rev:1;) Thanks.YM
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Zbot variant sigs Y M (Oct 10)
- Re: Zbot variant sigs Y M (Oct 10)
- Re: Zbot variant sigs Joel Esler (Oct 11)
- Re: Zbot variant sigs Y M (Oct 11)