Snort mailing list archives
Re: Win.Backdoor.StoneDrill
From: Tyler Montier <tmontier () sourcefire com>
Date: Wed, 8 Mar 2017 08:39:05 -0500
Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Sincerely, Tyler Montier Cisco Talos On Tue, Mar 7, 2017 at 3:31 PM, Y M <snort () outlook com> wrote:
Hello, Hope all is well. The below rules were derived from the reference report. No pcaps are available, so the rules are only sanity checked. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/ct_if/ctpublic/Check_Exist.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/ files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:1000870; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"username=MD5Sum"; fast_pattern:only; http_client_body; content:"&password=MD5Sum"; http_client_body; content:"&button=Login"; http_client_body; content:"Referer|3A 20|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:" Firefox/23.0|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_ StoneDrill_final.pdf; classtype:trojan-activity; sid:1000871; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/insert/index?id="; fast_pattern:only; http_uri; content:"&hst="; http_uri; content:"&ttype="; http_uri; content:"&state="; http_uri; content:"Cookie|3A 20|"; http_header; content:"Conneciton|3A 20|close|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url, securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:1000872; rev:1;) Thank you. YM ------------------------------------------------------------ ------------------ Announcing the Oxford Dictionaries API! The API offers world-renowned dictionary content that is easy and intuitive to access. Sign up for an account today to start using our lexical data to power your apps and projects. Get started today and enter our developer competition. http://sdm.link/oxford _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Announcing the Oxford Dictionaries API! The API offers world-renowned dictionary content that is easy and intuitive to access. Sign up for an account today to start using our lexical data to power your apps and projects. Get started today and enter our developer competition. http://sdm.link/oxford
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Backdoor.StoneDrill Y M (Mar 07)
- Re: Win.Backdoor.StoneDrill Tyler Montier (Mar 08)