Snort mailing list archives

Re: Win.Trojan.UDPOS

From: Phillip Lee <phillile () sourcefire com>
Date: Wed, 14 Feb 2018 11:18:54 -0500

Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished. 

Can you send along the pcaps that you have? 

Regards,
Phil Lee
Cisco Talos

On Feb 13, 2018, at 12:49 PM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote:

Hi,

The below signatures are of the UDPOS point-of-sale malware. Pcap is available for this one. Opted for a rule per 
message as opposed to bundling message types into two rules.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UDPOS external IP address check 
attempt"; flow:to_server,established; content:"User-Agent|3A 20|Browser|0D 0A|"; fast_pattern:only; http_header; 
content:"/index.php?"; http_uri; content:"udpool="; distance:0; http_uri; metadata:ruleset community, service http; 
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns 
<http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; 
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection 
<http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; 
classtype:trojan-activity; sid:9000025; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|bin"; offset:16; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
pcre:"/[a-f0-9]{15}\x03bin(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; 
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns 
<http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; 
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection 
<http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; 
classtype:trojan-activity; sid:9000026; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|trp"; offset:16; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
pcre:"/[a-f0-9]{15}\x03trp(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; 
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns 
<http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; 
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection 
<http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; 
classtype:trojan-activity; sid:9000027; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|info"; offset:16; byte_test:1,<,40,0,relative; 
byte_jump:1,0,relative; byte_test:1,<,40,0,relative; byte_jump:1,0,relative; byte_test:1,<40,35,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,40,0,relative; 
pcre:"/[a-f0-9]{15}\x04info(([\x10-\x28][a-f0-9]{10,40}){4}).+\x00\x00/"; metadata:ruleset community, service dns; 
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns 
<http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; 
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection 
<http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; 
classtype:trojan-activity; sid:9000028; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|ping"; offset:16; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
pcre:"/[a-f0-9]{15}\x04ping(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; 
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns 
<http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; 
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection 
<http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; 
classtype:trojan-activity; sid:9000029; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|note"; offset:16; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; 
pcre:"/[a-f0-9]{15}\x04note(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/"; metadata:ruleset community, service dns; 
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns 
<http://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns>; 
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection 
<http://www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection>; 
classtype:trojan-activity; sid:9000030; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>

Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
<https://snort.org/faq/what-is-the-mailing-list-etiquette>

Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
catch the most <a href=" https://snort.org/downloads/#rule-downloads 
<https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Win.Trojan.UDPOS Y M via Snort-sigs (Feb 13)
- Re: Win.Trojan.UDPOS Phillip Lee (Feb 14)
  - Message not available
    - Message not available
    - Re: Win.Trojan.UDPOS Phillip Lee (Mar 22)