Snort mailing list archives
Re: Win.Trojan.UDPOS
From: Phillip Lee <phillile () sourcefire com>
Date: Wed, 14 Feb 2018 11:18:54 -0500
Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Can you send along the pcaps that you have? Regards, Phil Lee Cisco Talos
On Feb 13, 2018, at 12:49 PM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote: Hi, The below signatures are of the UDPOS point-of-sale malware. Pcap is available for this one. Opted for a rule per message as opposed to bundling message types into two rules. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UDPOS external IP address check attempt"; flow:to_server,established; content:"User-Agent|3A 20|Browser|0D 0A|"; fast_pattern:only; http_header; content:"/index.php?"; http_uri; content:"udpool="; distance:0; http_uri; metadata:ruleset community, service http; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000025; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|bin"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x03bin(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000026; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|trp"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x03trp(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000027; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|info"; offset:16; byte_test:1,<,40,0,relative; byte_jump:1,0,relative; byte_test:1,<,40,0,relative; byte_jump:1,0,relative; byte_test:1,<40,35,0,relative; byte_jump:1,0,relative; byte_test:1,<=,40,0,relative; pcre:"/[a-f0-9]{15}\x04info(([\x10-\x28][a-f0-9]{10,40}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000028; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|ping"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x04ping(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000029; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|note"; offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x04note(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns <http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection <http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; classtype:trojan-activity; sid:9000030; rev:1;) Thanks. YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.UDPOS Y M via Snort-sigs (Feb 13)
- Re: Win.Trojan.UDPOS Phillip Lee (Feb 14)
- Message not available
- Message not available
- Re: Win.Trojan.UDPOS Phillip Lee (Mar 22)
- Message not available
- Re: Win.Trojan.UDPOS Phillip Lee (Feb 14)