Snort mailing list archives
Multiple signatures 007
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 30 Jul 2018 18:09:48 +0000
Hi, An existing sid (45907) from the ruleset may require updates. Please see the notes associated with sid 8000217 below. Pcaps available for most the rules below. # -------------------- # Date: 2018-07-29 # Title: CVE-2018-9919, Tpshop 2.0.8 Arbitrary File Download / SSRF # Reference: https://packetstormsecurity.com/files/147434/Tpshop-2.0.8-Arbitrary-File-Download-SSRF.html # Tests: syntax only alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tpshop arbitrary file download attempt"; flow:to_server,established; urilen:>100; content:"/LinkTagTeet.php?"; fast_pattern:only; http_uri; content:"down_url="; http_uri; reference:cve,2018-9919; reference:url,packetstormsecurity.com/files/147434/Tpshop-2.0.8-Arbitrary-File-Download-SSRF.html; metadata:ruleset community, service http; classtype:attempted-admin; sid:8000215; rev:1;) # -------------------- # Date: 2018-07-30 # Title: A mining multitool - Symbiosis of PowerShell and EternalBlue for cryptocurrency mining # Reference: # - https://securelist.com/a-mining-multitool/86950/ # Tests: pcap # Confidence: low # Notes: # 1. This relates to the decimal/base64 encoded binary downloads with the same HTTP # response headers as reported in "Multiple signatures 006" sid 8000209-8000210. # This was a coincedence and the reference was observed on 2018-07-30. # 2. Not friendly with HTTP buffers/content matches. # 2. SID 1:33872, MALWARE-CNC Win.Worm.Urahu is still relevant. # 3. This maybe also referred to as Skillis, Rozena, Urahu, Nitol, PowerGhost, and similar to WannaMine. alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.PowerGhost outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0+|0D 0A|"; fast_pattern:only; content:!"Connection"; metadata:ruleset community, service http; reference:url,securelist.com/a-mining-multitool/86950/; classtype:trojan-activity; sid:8000216; rev:1;) # -------------------- # Date: 2018-07-30 # Title: New Threat Actor Group DarkHydrus Targets Middle East Government # Reference: # - https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/ # Tests: pcap # Confidence: low # Notes: # 1. Existing sid 45907 requires modifications by changing the direction of the rule as follows: # alert udp $HOME_NET any -> $EXTERNAL_NET 53. This change is not posted below. # 2. SID 8000217 has pcre to help eliminate FPs. Maybe add detection_filter? alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"MALWARE-CNC excessive DNS large TXT response records with zero-based TTL"; flow:to_client; dsize:>250; content:"|00 10 00 01|"; content:"|00 00 00 00|"; distance:0; fast_pattern; byte_test:1,>,190,2,relative; pcre:"/[\x41-\x5a\x61-\x7a]{190,255}/"; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000217; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC inbound null SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|30 07 06 03 55 04 06 13 00 31 09|"; content:"|30 07 06 03 55 04 08 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 07 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 0A 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 0B 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 03 13 00|"; distance:0; metadata:ruleset community, service ssl; classtype:trojan-activity; sid:8000218; rev:1;) # -------------------- # Date: 2018-07-30 # Title: PUA Adware Tweakbit # Reference: Research # - https://www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection # Tests: pcap # Confidence: medium alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Tweakbit outbound connection"; flow:to_server,established; urilen:8; content:"/collect"; fast_pattern:only; http_uri; content:"v="; http_client_body; content:"&tid="; http_client_body; content:"&cid="; http_client_body; content:"&ea="; http_client_body; content:"&el="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity; sid:8000219; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Tweakbit outbound connection"; flow:to_server,established; content:"/tools/offers/"; fast_pattern:only; http_uri; content:"data=|7B|"; http_client_body; content:"|22|protocol|22|"; http_client_body; content:"|22|product|22|"; http_client_body; content:"|22|oslanguage|22|"; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity; sid:8000220; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Tweakbit outbound connection"; flow:to_server,established; content:"/tools/uninstalloffers/"; fast_pattern:only; http_uri; content:"request=|7B|"; http_client_body; content:"|22|protocol|22|"; http_client_body; content:"|22|product|22|"; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity; sid:8000221; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Tweakbit outbound connection"; flow:to_server,established; content:"/driverservice.asmx"; fast_pattern:only; http_uri; content:"SOAPAction: "; http_header; content:"<operatingSystemMajorVersion>"; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity; sid:8000222; rev:1;) # -------------------- # Date: 2018-07-30 # Title: PUA Adware AdNaver # Reference: Research # - https://www.virustotal.com/#/file/9cab0520f4d7c3ecbc310e55282861ca20d53959eaf6e93d8d6aa717347819da/detection # - https://app.any.run/tasks/16de6eff-d745-43d0-b463-a542e27ed4e5 # Tests: pcap # Confidence: low alert udp $HOME_NET any -> $EXTERNAL_NET 15000 (msg:"PUA-ADWARE AdNaver NAT service successful installation"; flow:to_server; content:"INSTALL|09|"; content:"|09 09|"; distance:36; content:"|5C|NAT Service|5C|"; content:"C:|5C|Users|5C|"; metadata:ruleset community; reference:url,app.any.run/tasks/16de6eff-d745-43d0-b463-a542e27ed4e5; classtype:trojan-activity; sid:8000223; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 007 Y M via Snort-sigs (Jul 30)
- Re: Multiple signatures 007 Marcos Rodriguez (Jul 30)