Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Careto/Mask Rules

From: Tony Robinson <deusexmachina667 () gmail com>
Date: Tue, 11 Feb 2014 19:46:10 -0500
Howdy. Made and tested these based on the information provided in the
Kaspersky Labs report. Most of these are just Blacklist DNS rules
based off of the VRT template for DNS alerts, based of unique domain
names Kaspersky identified during the Careto campaign.

Additionally, I've included a signature for the malicious user-agent
associated with the malware, and included what I hope are rules that
should prove to be useless what with the associated malware domains
(hopefully) being taken down; their signatures looking for users
requested the infected xpi and crx files with the sbd backdoor
embedded.

This is my first time doing this, so if I'm doing something horribly
wrong, please be gentle...

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain linkconf.net - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|08|linkconf|03|net|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000010; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain redirserver.net - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0B|redirserver|03|net|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000011; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain swupdt.com - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|swupdt|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000012; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain appleupdt.com - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|appleupdt|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000013; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain msupdt.com - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|msupdt|03|com"; fast_pattern:only;
metadata:impact_flag red, policy security-ips drop, service dns;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000014; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain services.serveftp.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|08|services|08|serveftp|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000015; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain gx5369.dyndns.tv - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|gx5639|06|dyndns|02|tv";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000016; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain mango66.dyndns.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|mango66|06|dyndns|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000017; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain ctronlinenews.dyndns.tv - Careto ";
flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0D|ctronlinenews|06|dyndns|02|tv"; fast_pattern:only;
metadata:impact_flag red, policy security-ips drop, service dns;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000018; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain fast8.homeftp.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|fast8|07|homeftp|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000019; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain wwnav.selfip.net - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|wwnav|06|selfip|03|net";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000020; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain dfup.selfip.net - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|dfup|06|selfip|03|net";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000021; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain takami.podzone.net - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|takami|07|podzone|03|net";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000022; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain ricush.ath.cx - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|ricush|03|ath|02|cx";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000023; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain carrus.gotdns.com - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|carrus|06|gotdns|03|com";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000024; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain takami.podzone.net - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|takami|07|podzone|03|net";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000025; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain cherry1962.dyndns.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|cherry1962|06|dyndns|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000026; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain sv.serveftp.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|02|sv|08|serveftp|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000027; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain pl400.dyndns.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|pl400|06|dyndns|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000028; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain wqq.dyndns.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|wqq|06|dyndns|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000029; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain pininfarina.dynalias.com - Careto ";
flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0B|pininfarina|08|dynalias|03|com"; fast_pattern:only;
metadata:impact_flag red, policy security-ips drop, service dns;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000030; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain nav1002.ath.cx - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|nav1002|03|ath|02|cx";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000031; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain prosoccer2.dyndns.info - Careto ";
flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0A|prosoccer2|06|dyndns|04|info"; fast_pattern:only;
metadata:impact_flag red, policy security-ips drop, service dns;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000032; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain prosoccer1.dyndns.info - Careto ";
flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0A|prosoccer1|06|dyndns|04|info"; fast_pattern:only;
metadata:impact_flag red, policy security-ips drop, service dns;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000033; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain tunga.homedns.org - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|tunga|07|homedns|03|org";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000034; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain nthost.shacknet.nu - Careto "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|nthost|08|shacknet|02|nu";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:1000035; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
User-Agent known malicious user agent- Careto malware";
flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0
|28|compatible|3B| MSIE 4.01|3B| Windows NT|29|";  fast_pattern:only;
http_header; metadata:impact_flag red, policy security-ips drop,
service http; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:10000036; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
URI - Careto XPI plugin download request - Linux";
flow:to_server,established; content:"GET"; nocase; http_method;
content:"/l/af_l_addon.xpi"; nocase; http_uri; metadata:impact_flag
red, policy security-ips drop, service http;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:10000037; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
URI - Careto XPI plugin download request - OSX";
flow:to_server,established; content:"GET"; nocase; http_method;
content:"/m/af_l_addon.xpi"; nocase; http_uri; metadata:impact_flag
red, policy security-ips drop, service http;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:10000038; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
URI - Careto CRX plugin download request - Windows";
flow:to_server,established; content:"GET"; nocase; http_method;
content:"/ag/plugin.crx"; nocase; http_uri; metadata:impact_flag red,
policy security-ips drop, service http;
reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf;
classtype:trojan-activity; sid:10000039; rev:1;)

Cheers,

DA_667



-- 
when does reality end? when does fantasy begin?

Attachment: Careto-snort-rules.txt
Description: 

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: