Win.Trojan.KopiLuwak Turla JS

[Y M <snort () outlook com>]

Hello,


The below signatures were derived from the article in the reference. Since there are no pcaps available, the below 
assumptions/thoughts were made.


1. For the first rule, it is assumed that the custom User-Agent ends with \x0d\x0a. It also may be a better idea to 
have the pcre as "[A-Z0-9a-z]{32}", but it written to avoid ambi

2. To avoid pcre, individual signatures were created per HTTP response. Perhaps it is better to combine all of them 
with pcre.

3. The HTTP response body does not end/contain any line terminators.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALAWARE-CNC Win.Trojan.KopiLuwak JS outbound request"; 
flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Mozilla/5.0 (Windows NT 
6.1|3B| Win64|3B| x64)|3B| "; fast_pattern:only; http_header; pcre:"/[0-9]{16}[A-Z0-9a-z]{16}\x0d\x0a$/mR"; 
flowbits:set,kopiluwak.js.out; flowbits:noalert; metadata:ruleset community, service http; 
reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; 
classtype:trojan-activity; sid:1000828; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; 
flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|"; http_header; 
file_data; content:"good"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; 
reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; 
classtype:trojan-activity; sid:1000829; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; 
flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|"; http_header; 
file_data; content:"exit"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; 
reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; 
classtype:trojan-activity; sid:1000830; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; 
flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|"; http_header; 
file_data; content:"work"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; 
reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; 
classtype:trojan-activity; sid:1000831; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; 
flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|"; http_header; 
file_data; content:"fail"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; 
reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; 
classtype:trojan-activity; sid:1000832; rev:1;)


Thanks.

YM

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!