Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-sigs Digest, Vol 12, Issue 50

From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Mon, 11 Jun 2018 13:21:17 +0000
Also, obviously, he has been removed from this list, and all other Snort lists and banned for life.

On Jun 8, 2018, at 11:49 AM, 6vector9telemetry--- via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () 
lists snort org>> wrote:

Obviously, his Trojan was discovered and blocked, now he is upset.


Confidentiality Notice:
The information contained in this communication, including attachments, is privileged and confidential. It is intended 
only for the exclusive use of the addressee. If the reader is not the intended recipient, or the employee, or the agent 
responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution 
or copying of this communication is strictly prohibited. If you have received this communication in error, please 
notify us by return email or telephone immediately. Thank you.


On Jun 8, 2018, at 11:03 AM, Mkultra via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort 
org>> wrote:

rastus caint afford a "real" ids


Sent with ProtonMail<https://protonmail.com/> Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On June 8, 2018 9:21 AM, Ashlee Benge <abenge () sourcefire com<mailto:abenge () sourcefire com>> wrote:

Yaser,

      We have reviewed the rules you submitted for CVE-2017-8570. Unfortunately, due to the obfuscation method used in 
the samples and a lack of static content matches, performance concerns prevent us from adding these rules to the 
ruleset.

On Tue, May 29, 2018 at 1:24 PM, <snort-sigs-request () lists snort org<mailto:snort-sigs-request () lists snort org>> 
wrote:
Send Snort-sigs mailing list submissions to
        snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.snort.org/mailman/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
        snort-sigs-request () lists snort org<mailto:snort-sigs-request () lists snort org>

You can reach the person managing the list at
        snort-sigs-owner () lists snort org<mailto:snort-sigs-owner () lists snort org>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Win.Trojan.Dropper (O C)
   2. CVE-2017-8570 (O C)


----------------------------------------------------------------------

Message: 1
Date: Tue, 29 May 2018 17:23:40 +0000
From: O C <snort () outlook com<mailto:snort () outlook com>>
To: snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>>
Subject: [Snort-sigs] Win.Trojan.Dropper
Message-ID:
        <BN6PR1701MB18437AD38F6A61C998EECA4AA86D0 () BN6PR1701MB1843 namprd17 prod outlook 
com<mailto:BN6PR1701MB18437AD38F6A61C998EECA4AA86D0 () BN6PR1701MB1843 namprd17 prod outlook com>>

Content-Type: text/plain; charset="iso-8859-1"

Hi,

This downloader uses a rather unique User-Agent. Pcap is available for this one.

# --------------------
# Date: 2018-05-28
# Title: Win.Trojan.Dropper
# Tests: pcap
# Reference: 
https://www.virustotal.com/#/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/detection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious user-agent - 
Win.Trojan.Dropper"; flow:to_server,established; content:"User-Agent: HTTPREAD|0D 0A|"; fast_pattern:only; 
metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/detection<http://www.virustotal.com/#/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/detection>;
 classtype:trojan-activity; sid:8000074; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180529/d40e7252/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 29 May 2018 17:24:12 +0000
From: O C <snort () outlook com<mailto:snort () outlook com>>
To: snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>>
Subject: [Snort-sigs] CVE-2017-8570
Message-ID:
        <BN6PR1701MB184314ADF9539049956466D5A86D0 () BN6PR1701MB1843 namprd17 prod outlook 
com<mailto:BN6PR1701MB184314ADF9539049956466D5A86D0 () BN6PR1701MB1843 namprd17 prod outlook com>>

Content-Type: text/plain; charset="iso-8859-1"

Hi,

This one is similar to the existing signatures 45415 and 45416. The only difference is that is uses the StdOleLink 
Moniker as opposed to the Composite Moiker. There are 2 versions for each rule. The first one is without using PCRE. 
The samples I worked with had the moniker slightly manipulated, and PCRE was a perfect fit. Pcaps available for these.

Note that the sample documents contain multiple exploits and not just one.

# --------------------
# Date: 2018-05-06
# Title: CVE-2017-8570 StdOleLink
# Reference: 
https://www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection, 
https://www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection
# Tests: pcap

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation 
attempt - NON-PCRE"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; 
content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; 
content:"C6AFABEC197FD211978E0000F8757E2A"; distance:0; nocase; metadata:ruleset community, service ftp-data, service 
http, service imap, service pop3; reference:cve,2017-8570; 
reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570<http://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570>;
 
reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection<http://www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection>;
 
reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection<http://www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection>;
 classtype:attempted-user; sid:8000070; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation 
attempt - PCRE"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; 
content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; pcre:"/[ABCDEF0-9\x20\x0a\x0d0a]{32}/"; 
distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; 
reference:cve,2017-8570; 
reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570<http://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570>;
 
reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection<http://www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection>;
 
reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection<http://www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection>;
 classtype:attempted-user; sid:8000071; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - 
NON-PCRE"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; 
content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; 
content:"C6AFABEC197FD211978E0000F8757E2A"; distance:0; nocase; metadata:ruleset community, service ftp-data, service 
http, service imap, service pop3; reference:cve,2017-8570; 
reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570<http://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570>;
 
reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection<http://www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection>;
 
reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection<http://www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection>;
 classtype:attempted-user; sid:8000072; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - 
PCRE"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; 
content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; pcre:"/[ABCDEF0-9\x20\x0a\x0d0a]{32}/"; 
distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; 
reference:cve,2017-8570; 
reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570<http://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570>;
 
reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection<http://www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection>;
 
reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection<http://www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection>;
 classtype:attempted-user; sid:8000073; rev:1;)

Thanks.
YM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180529/aafa85a1/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs
http://www.snort.org<http://www.snort.org/>

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!


------------------------------

End of Snort-sigs Digest, Vol 12, Issue 50
******************************************



--
Ashlee Benge
Detection Response Team
Talos Group

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org<http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: