Win.Backdoor.SocketPlayer

[Y M via Snort-sigs <snort-sigs () lists snort org>]

Hi,

Pcaps available for these. Note that the C&C server ports need to be added to the stream5 and http_inspect 
preprocessors.

# --------------------
# Date: 2018-06-06
# Title: Win.Backdoor.SocketPlayer
# Tests: pcap
# Reference:
#     - https://file.gdatasoftware.com/web/en/documents/whitepaper/G_DATA_SocketPlayer_Analysis.pdf
#     - https://www.virustotal.com/#/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2e056a7c84e9547fe275889/detection
#     - https://www.virustotal.com/#/file/ace5a17702239cebf4ebc9ae034f3b2878e471978b895d3f461ef38fce7b1a40/detection
# Note: Requires adding ports 3000 and 7218 in stream5 and http_inspect ports
# Confidence: medium
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.SocketPlayer outbound connection"; 
flow:to_server,established; content:"/socket.io/"; fast_pattern:only; http_uri; content:"?EIO="; http_uri; 
content:"&transport="; http_uri; content:!"User-Agent"; http_header; content:!"Referer"; http_header; metadata:ruleset 
community, service http; 
reference:url,www.virustotal.com/#/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2e056a7c84e9547fe275889/detection; 
reference:url,www.virustotal.com/#/file/ace5a17702239cebf4ebc9ae034f3b2878e471978b895d3f461ef38fce7b1a40/detection; 
classtype:trojan-activity; sid:8000104; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!