Snort mailing list archives
Win.Trojan.KopiLuwak Turla JS
From: Y M <snort () outlook com>
Date: Tue, 14 Feb 2017 10:30:08 +0000
Hello, The below signatures were derived from the article in the reference. Since there are no pcaps available, the below assumptions/thoughts were made. 1. For the first rule, it is assumed that the custom User-Agent ends with \x0d\x0a. It also may be a better idea to have the pcre as "[A-Z0-9a-z]{32}", but it written to avoid ambi 2. To avoid pcre, individual signatures were created per HTTP response. Perhaps it is better to combine all of them with pcre. 3. The HTTP response body does not end/contain any line terminators. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALAWARE-CNC Win.Trojan.KopiLuwak JS outbound request"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Mozilla/5.0 (Windows NT 6.1|3B| Win64|3B| x64)|3B| "; fast_pattern:only; http_header; pcre:"/[0-9]{16}[A-Z0-9a-z]{16}\x0d\x0a$/mR"; flowbits:set,kopiluwak.js.out; flowbits:noalert; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000828; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|"; http_header; file_data; content:"good"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000829; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|"; http_header; file_data; content:"exit"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000830; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|"; http_header; file_data; content:"work"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000831; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KopiLuwak JS inbound response"; flow:to_client,established; flowbits:isset,kopiluwak.js.out; content:"Content-Length|3A 20|4|0D 0A|"; http_header; file_data; content:"fail"; depth:4; isdataat:!0,relative; metadata:ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:1000832; rev:1;) Thanks. YM
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.KopiLuwak Turla JS Y M (Feb 14)
- Re: Win.Trojan.KopiLuwak Turla JS Tyler Montier (Feb 14)