Snort mailing list archives
Re: Win.Malware.Disttrack
From: Y M <snort () outlook com>
Date: Fri, 10 Feb 2017 15:49:48 +0000
Hi Tyler, Unfortunately there are no pcaps available. The signatures are based on the information extracted from the article. Thanks again for taking of these. ________________________________ From: Tyler Montier <tmontier () sourcefire com> Sent: Friday, February 10, 2017 6:25:49 PM To: Y M Cc: snort-sigs Subject: Re: [Snort-sigs] Win.Malware.Disttrack Dear Yaser, Thanks for your submission. We will review and test the rules and get back to you when they're finished. Do you have any pcaps available? Sincerely Tyler Montier Cisco Talos On Fri, Feb 10, 2017 at 4:45 AM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: Hello, The below signatures are derived from the article in the reference. There is a hardcoded User-Agent with HTTP "parameters". It is not clear whether these parameters are HTTP URL or Body parameters. There is also a mention of a specific domain. The rules have been sanity checked only. No pcaps available. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Disttrack variant outbound connection"; flow:to_server,established; content:"commandid="; nocase; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/5.0 (Windows NT 6.3|3B| Trident/7.0|3B| rv:11) like Gecko|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack<http://blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack>; classtype:trojan-activity; sid:1000825; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Disttrack variant outbound connection"; flow:to_server,established; content:"commandid="; nocase; fast_pattern:only; http_client_body; content:"User-Agent|3A 20|Mozilla/5.0 (Windows NT 6.3|3B| Trident/7.0|3B| rv:11) like Gecko|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack<http://blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack>; classtype:trojan-activity; sid:1000826; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain update.winappupdater.com<http://update.winappupdater.com> - Win.Malware.Disttrack"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|update|0D|winappupdater|03|com|00|"; fast_pattern:only; metadata:ruleset community, service dns; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack<http://blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack>; classtype:trojan-activity; sid:1000827; rev:1;) Thank you. YM ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Malware.Disttrack Y M (Feb 10)
- Re: Win.Malware.Disttrack Tyler Montier (Feb 10)
- Re: Win.Malware.Disttrack Y M (Feb 10)
- <Possible follow-ups>
- Win.Malware.Disttrack Y M (Feb 18)
- Re: Win.Malware.Disttrack ILLG, FREDERICK C (Feb 19)
- Re: Win.Malware.Disttrack Al Lewis (allewi) (Feb 19)
- Re: Win.Malware.Disttrack Tyler Montier (Feb 10)