Snort mailing list archives

Multiple signatures 005

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 23 Jul 2018 16:59:44 +0000

Hi,

May I suggest enjoying a21b5295ca0e1f10ca7c3f76b632e4de (Win.Trojan.Swrort below); PowerShell command execution via DNS 
TXT response. Pcaps are available for all of the rules.

# --------------------
# Date: 2018-07-21
# Title: Win.Trojan.Fuerboos, Win.Trojan.NeutrinoBot
# Tests: pcap
# Reference:
#    - https://www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot variant outbound 
connection"; flow:to_server,established; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie: "; 
http_header; content:"auth=1"; http_client_body; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection; 
classtype:trojan-activity; sid:8000190; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot variant outbound 
connection"; flow:to_server,established; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie: "; 
http_header; content:"cmd="; http_client_body; content:"&uid="; http_client_body; content:"&os="; http_client_body; 
content:"&av="; http_client_body; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection; 
classtype:trojan-activity; sid:8000191; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot variant outbound 
connection"; flow:to_server,established; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Cookie: "; 
http_header; content:"fail="; http_client_body; content:"&task_id="; http_client_body; metadata:ruleset community, 
service http; 
reference:url,www.virustotal.com/#/file/8b9cf529dab1992fa37508dcd02173e615c2f3d95a46f2059d06050dd7dbcb0f/detection; 
classtype:trojan-activity; sid:8000192; rev:1;)

# --------------------
# Date: 2018-07-21
# Title: Win.Trojan.GenKryptik (Talso File Reputation: W32.3A4A773CDF-95.SBX.TG)
# Tests: pcap
# Reference:
#    - https://www.virustotal.com/#/file/3a4a773cdfa20182f6fab817d010a0a47e94784e1b02e009c1c5c9766b43a25f/detection
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GenKryptik outbound connection"; 
flow:to_server,established; urilen:10; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.1)"; 
fast_pattern:only; http_header; content:"/index.php"; http_uri; content:"POST"; http_method; content:"Content-Length"; 
http_header; content:!"Content-Type"; http_header; content:!"Connection"; http_header; content:!"Accept"; http_header; 
content:!"Referer"; http_header; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/3a4a773cdfa20182f6fab817d010a0a47e94784e1b02e009c1c5c9766b43a25f/detection; 
classtype:trojan-activity; sid:8000194; rev:1;)

# --------------------
# Date: 2018-07-22
# Title: Win.Trojan.MSIL (ClamAV: Win.Trojan.Agent-1288686, Talos File Reputation: W32.Auto:cc093c.in03.Talos)
# Tests: pcap
# Reference:
#    - https://www.virustotal.com/#/file/cc093cca83f700878856b06cb3623a912550d44f82071e88cbbc160381391a91/detection
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL outbound conneciton"; 
flow:to_server,established; content:"&wallets="; fast_pattern:only; http_uri; content:"?hwid="; http_uri; 
content:"&pswd="; http_uri; content:"&telegram="; http_uri; content:"name=|22|file|22 3B|"; http_client_body; 
content:!"User-Agent"; http_header; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/cc093cca83f700878856b06cb3623a912550d44f82071e88cbbc160381391a91/detection; 
classtype:trojan-activity; sid:8000195; rev:1;)

# --------------------
# Date: 2018-07-22
# Title: Win.Trojan.Swrort (ClamAV: Win.Trojan.Swrort-5710536-0)
# Tests: pcap
# Reference:
#    - https://www.virustotal.com/#/file/c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection
# Confidence: medium
# Notes:
#    - PowerShell execution via DNS TXT
#    - The word "shino" in the domains maybe referred as "what" in some dialects

alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC PowerShell command in DNS TXT Response"; flow:to_client; 
dsize:>100; content:"|00 10 00 01 00 00|"; content:"powershell "; distance:0; nocase; metadata:ruleset community, 
service dns; 
reference:url,www.virustotal.com/#/file/c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection; 
classtype:trojan-activity; sid:8000196; rev:1;)

alert udp any any -> $HOME_NET any (msg:"MALWARE-CNC PowerShell command in DNS TXT Response"; flow:to_client; 
dsize:>100; content:"|00 10 00 01 00 00|"; content:"new-object net.webclient"; nocase; metadata:ruleset community, 
service dns; 
reference:url,www.virustotal.com/#/file/c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection; 
classtype:trojan-activity; sid:8000197; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS request for known malware domain shinohack.me - 
Win.Trojan.Swrort"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|shinohack|02|me"; fast_pattern:only; 
content:"|00 10 00 01|"; distance:0; metadata:ruleset community, service dns; 
reference:url,www.virustotal.com/#/file/c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection; 
classtype:trojan-activity; sid:8000198; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS request for known malware domain shinobotps1.com - 
Win.Trojan.Swrort"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|shinobotps1|03|com"; fast_pattern:only; 
content:"|00 01 00 01|"; distance:0; metadata:ruleset community, service dns; 
reference:url,www.virustotal.com/#/file/c4f069d079330cd46e51f9469c27015ed34c6371481df83a323bc098f3b53382/detection; 
classtype:trojan-activity; sid:8000199; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Swrort inbound SSL certificate"; 
flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; 
content:"|55 04 03 13 0F|shinobotps1.com"; metadata:ruleset community, service ssl; 
reference:url,app.any.run/tasks/95c76eff-5118-46d1-9e62-cc5d4d2a1310; classtype:trojan-activity; sid:8000200; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 005 Y M via Snort-sigs (Jul 23)
- Re: Multiple signatures 005 Marcos Rodriguez (Jul 23)