Francis Trudeau | 25 Apr 00:17 2015
Picon

Daily Ruleset Update Summary 2015/04/24

 [***] Results from Oinkmaster started Fri Apr 24 17:53:10 2015 [***]

 27 new Open signatures, 37 new Pro (27 + 10).  Fiesta, Dridex,
Sundown, Dalexis.

 Thanks:  James Lay, Kevin Ross and  <at> kafeine.

 [+++]          Added rules:          [+++]

 Open:

  2020985 - ET CURRENT_EVENTS Sundown EK Secondary Landing Apr 20 2015
(current_events.rules)
  2020986 - ET CURRENT_EVENTS Possible Dridex Downloader SSL
Certificate (current_events.rules)
  2020987 - ET CURRENT_EVENTS Download file with Powershell via LNK
file (observed in Sundown EK) (current_events.rules)
  2020988 - ET CURRENT_EVENTS Possible Sundown EK URI Struct T1 Apr 24
2015 (current_events.rules)
  2020989 - ET CURRENT_EVENTS Possible Sundown EK Payload Struct T1
Apr 24 2015 (current_events.rules)
  2020990 - ET CURRENT_EVENTS Sundown EK Secondary Landing T1 M2 Apr
24 2015 (current_events.rules)
  2020991 - ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M1
Apr 24 2015 (current_events.rules)
  2020992 - ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M2
Apr 24 2015 (current_events.rules)
  2020993 - ET CURRENT_EVENTS IonCube Encoded Page (no alert)
(current_events.rules)
  2020994 - ET CURRENT_EVENTS Possible Sundown EK Flash Exploit Struct
(Continue reading)

Kevin Ross | 24 Apr 13:43 2015

SIGS: Dridex Macro Docs in Emails

These seem to be capable of detecting the Dridex Macros in emails as they have fired for me. Hopefully it will be able to find others too not specifically Dridex.

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc"; flow:established,to_server; content:"SW50ZXJuZXRPcGVu"; fast_pattern:only; classtype:trojan-activity; sid:156111; rev:1;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Email Contains wininet.dll Call - Potentially Dridex MalDoc"; flow:established,to_server; content:"d2luaW5ldC5kbGw"; fast_pattern:only; classtype:trojan-activity; sid:156112; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>These seem to be capable of detecting the Dridex Macros in emails as they have fired for me. Hopefully it will be able to find others too not specifically Dridex.<br><br>alert smtp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"ET TROJAN Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc"; flow:established,to_server; content:"SW50ZXJuZXRPcGVu"; fast_pattern:only; classtype:trojan-activity; sid:156111; rev:1;)<br><br>
</div>
<div>alert smtp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"ET TROJAN Email Contains wininet.dll Call - Potentially Dridex MalDoc"; flow:established,to_server; content:"d2luaW5ldC5kbGw"; fast_pattern:only; classtype:trojan-activity; sid:156112; rev:1;)<br><br><br>Kind Regards,<br>Kevin Ross<br>
</div>
</div></div>
Kevin Ross | 24 Apr 12:02 2015

SIG: ET CURRENT_EVENTS Dridex.Maldoc Numerical Executable Request

This is to cover a hole in some detection when a user agent is not used as this is covered by sig ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request. Basically with and without user agents is what I see most of the time with numerical patterns now.
 
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex.Maldoc Numerical Executable Request"; flow:established,to_server; urilen:<15; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; pcre:"/^\/\d{1,4}\/\d{1,4}\.exe$/U"; content:".exe HTTP/1.1|0D 0A|Host|3a|"; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20[^\r\n]*\x0D\x0A/Hmi"; reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting; classtype:trojan-activity; sid:155511: rev:1;)

Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>
<div>This is to cover a hole in some detection when a user agent is not used as this is covered by sig ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request. Basically with and without user agents is what I see most of the time with numerical patterns now.<br>&nbsp;<br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex.Maldoc Numerical Executable Request"; flow:established,to_server; urilen:&lt;15; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; pcre:"/^\/\d{1,4}\/\d{1,4}\.exe$/U"; content:".exe HTTP/1.1|0D 0A|Host|3a|"; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20[^\r\n]*\x0D\x0A/Hmi"; reference:url,<a href="http://blogs.cisco.com/security/dridex-attacks-target-corporate-accounting">blogs.cisco.com/security/dridex-attacks-target-corporate-accounting</a>; classtype:trojan-activity; sid:155511: rev:1;)<br><br>
</div>Kind Regards,<br>
</div>Kevin Ross<br>
</div></div>
Francis Trudeau | 24 Apr 00:28 2015
Picon

Daily Ruleset Update Summary 2015/04/23

 [***] Summary: [***]

 9 new Open signatures, 23 new Pro (9 + 14).  Fiesta EK, Rovnix.P, Dridex.

 Thanks:  Jake Warren and  <at> rmkml.

 [+++]          Added rules:          [+++]

Open:

  2020976 - ET EXPLOIT Possible Redirect to SMB exploit attempt - 307
(exploit.rules)
  2020977 - ET EXPLOIT Possible Redirect to SMB exploit attempt - 303
(exploit.rules)
  2020978 - ET TROJAN DDoS.Win32.Agent.bay Variant Covert Channel
(VERSONEX) (trojan.rules)
  2020979 - ET CURRENT_EVENTS Fiesta EK Landing Apr 23 2015
(current_events.rules)
  2020980 - ET CURRENT_EVENTS Fiesta EK IE Exploit Apr 23 2015
(current_events.rules)
  2020981 - ET CURRENT_EVENTS Fiesta EK Flash Exploit Apr 23 2015
(current_events.rules)
  2020982 - ET CURRENT_EVENTS Fiesta EK SilverLight Exploit Apr 23
2015 (current_events.rules)
  2020983 - ET CURRENT_EVENTS Fiesta EK Java Exploit Apr 23 2015
(current_events.rules)
  2020984 - ET CURRENT_EVENTS Fiesta EK PDF Exploit Apr 23 2015
(current_events.rules)

 Pro:

  2810753 - ETPRO TROJAN Win32/Spy.Banbra.HE Fetching Config (trojan.rules)
  2810754 - ETPRO TROJAN Trojan-Banker.Win32.Banbra.dou Checkin (trojan.rules)
  2810755 - ETPRO TROJAN Likely Dridex Generic SSL Cert (trojan.rules)
  2810756 - ETPRO TROJAN Win32/Rovnix.P Retrieving .dat (trojan.rules)
  2810757 - ETPRO TROJAN Win32/Rovnix.P HTTP GET CnC Beacon (trojan.rules)
  2810758 - ETPRO TROJAN Win32/Rovnix.P HTTP POST CnC Beacon 1 (trojan.rules)
  2810759 - ETPRO TROJAN Win32/Rovnix.P HTTP POST CnC Beacon 2 (trojan.rules)
  2810760 - ETPRO POLICY IP Check ip.xss.ru (policy.rules)
  2810761 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(atractin.1) (trojan.rules)
  2810762 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(16054) (trojan.rules)
  2810763 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(16050) (trojan.rules)
  2810764 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(veXTFTkM.1) (trojan.rules)
  2810765 - ETPRO TROJAN Win32/Rovnix.P Posting stolen data (trojan.rules)
  2810766 - ETPRO MOBILE_MALWARE Unknown Checkin (mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2020300 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23
2015 (current_events.rules)
Francis Trudeau | 23 Apr 03:25 2015
Picon

Daily Ruleset Update Summary 2015/04/22

 [***] Summary: [***]

 16 new Open signatures, 36 new Pro.  CozyDuke, Nuclear EK, PoisonIvy.

 Thanks:   <at> EKWatcher.

 [+++]          Added rules:          [+++]

 Open:

  2020960 - ET TROJAN Possible Graftor Downloading Dridex (trojan.rules)
  2020961 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)
  2020962 - ET TROJAN CozyDuke APT HTTP Checkin (trojan.rules)
  2020963 - ET TROJAN CozyDuke APT HTTP GET CnC Beacon (trojan.rules)
  2020964 - ET TROJAN CozyDuke APT HTTP POST CnC Beacon (trojan.rules)
  2020965 - ET TROJAN CozyDuke APT HTTP CnC Beacon Response (trojan.rules)
  2020966 - ET TROJAN CozyDuke APT Possible SSL Cert 1 (trojan.rules)
  2020967 - ET TROJAN CozyDuke APT Possible SSL Cert 2 (trojan.rules)
  2020968 - ET TROJAN CozyDuke APT Possible SSL Cert 3 (trojan.rules)
  2020969 - ET TROJAN CozyDuke APT Possible SSL Cert 4 (trojan.rules)
  2020970 - ET TROJAN CozyDuke APT Possible SSL Cert 5 (trojan.rules)
  2020971 - ET TROJAN CozyDuke APT Possible SSL Cert 6 (trojan.rules)
  2020972 - ET TROJAN CozyDuke APT Possible SSL Cert 7 (trojan.rules)
  2020973 - ET POLICY Petite Packed Binary Download (policy.rules)
  2020974 - ET TROJAN CozyDuke APT Possible SSL Cert 8 (trojan.rules)
  2020975 - ET CURRENT_EVENTS Nuclear EK Landing Apr 22 2015
(current_events.rules)

 Pro:

  2810733 - ETPRO TROJAN TrojanSpy.Win32/Mafod Checkin (trojan.rules)
  2810734 - ETPRO TROJAN Win32.Androm.gnlb Checkin (trojan.rules)
  2810735 - ETPRO TROJAN Banker.Win32.Banbra Checkin (trojan.rules)
  2810736 - ETPRO MALWARE PUA.Win32.Bang5mai.B Checkin (malware.rules)
  2810737 - ETPRO TROJAN Simda CnC Beacon (trojan.rules)
  2810738 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(1LTSb2bdNHuNNmGnCWfVrxuDXWZ52Atubs) (trojan.rules)
  2810739 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(paranoia1.1) (trojan.rules)
  2810740 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(LZA8F5DgmTCTbdUR1AXpnvuVVFEXbKxcNH) (trojan.rules)
  2810741 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(16134) (trojan.rules)
  2810742 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(Intercepter.1) (trojan.rules)
  2810743 - ETPRO TROJAN Win32/Banker.VJ Reporting Checkin Via SMTP
(trojan.rules)
  2810744 - ETPRO TROJAN PoisonIvy Keepalive to CnC 143 (trojan.rules)
  2810745 - ETPRO TROJAN PoisonIvy Keepalive to CnC 144 (trojan.rules)
  2810746 - ETPRO TROJAN PoisonIvy Keepalive to CnC 145 (trojan.rules)
  2810747 - ETPRO TROJAN PoisonIvy Keepalive to CnC 146 (trojan.rules)
  2810748 - ETPRO TROJAN PoisonIvy Keepalive to CnC 147 (trojan.rules)
  2810749 - ETPRO TROJAN Win32/Cromptui.C Possible SSL Cert (trojan.rules)
  2810750 - ETPRO MALWARE MixVideoPlayer.A CnC Beacon (malware.rules)
  2810751 - ETPRO TROJAN Possible Dridex downloader SSL Certificate
(trojan.rules)
  2810752 - ETPRO TROJAN Tempedreve Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2007950 - ET TROJAN Possible Infection Report Mail - Indy Mail lib
and Nome do Computador in Body (trojan.rules)
  2018497 - ET CURRENT_EVENTS Angler EK SilverLight Payload Request -
May 2014 (current_events.rules)
  2020300 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23
2015 (current_events.rules)
  2808570 - ETPRO TROJAN Win32.Sisron.B Checkin 2 (trojan.rules)
  2810699 - ETPRO TROJAN Sality Variant UDP CnC Beacon Response (trojan.rules)

 [---]         Removed rules:         [---]

  2810163 - ETPRO TROJAN Win32.Cozer Cert (trojan.rules)
Jake Warren | 22 Apr 23:17 2015

More Redirect to SMB sigs

Hello,

Here's a couple of additional rules for the Redirect to SMB vulnerability. The 307 code was discovered by Trend Micro and I discovered the 303 code during my research (appears to only affect Internet Explorer though).

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; content:"307"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/; classtype:attempted-user; sid:xxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Possible Redirect to SMB exploit attempt - 303"; flow:from_server,established; content:"303"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:xxxx; rev:1;)

Regards,
Jake Warren
<div><div dir="ltr">
<div>Hello,<br><br>
</div>Here's a couple of additional rules for the Redirect to SMB vulnerability. The 307 code was discovered by Trend Micro and I discovered the 303 code during my research (appears to only affect Internet Explorer though).<br><div><div>
<div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">
<div>
<br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; content:"307"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,<a href="http://blog.cylance.com/redirect-to-smb">blog.cylance.com/redirect-to-smb</a>; reference:url,<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/">blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/</a>; classtype:attempted-user; sid:xxxx; rev:1;)<br><br>
</div>
<div>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"Possible Redirect to SMB exploit attempt - 303"; flow:from_server,established; content:"303"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,<a href="http://blog.cylance.com/redirect-to-smb">blog.cylance.com/redirect-to-smb</a>; classtype:attempted-user; sid:xxxx; rev:1;)<br><br>
</div>
<div>Regards,<br>
</div>
<div>Jake Warren<br>
</div>
</div></div></div></div></div>
</div></div>
</div></div>
Francis Trudeau | 22 Apr 01:46 2015
Picon

Daily Ruleset Update Summary 2015/04/21

 [***] Summary: [***]

 3 new Open signatures, 21 new Pro (18 + 3).  VBS.BackDoor.DuCk.1,
BAT/Autorun.FN, CryptoLocker.

 [+++]          Added rules:          [+++]

 Open:

  2020955 - ET TROJAN Windows nbtstat -n Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2020958 - ET TROJAN CryptoLocker .onion Proxy Domain
(zoqowm4kzz4cvvvl) (trojan.rules)
  2020959 - ET TROJAN CryptoWall .onion Proxy Domain
(7oqnsnzwwnm6zb7y) (trojan.rules)

 Pro:

  2810715 - ETPRO TROJAN VBS.BackDoor.DuCk.1 Checkin 1 (trojan.rules)
  2810716 - ETPRO TROJAN VBS.BackDoor.DuCk.1 Screenshot Upload (trojan.rules)
  2810717 - ETPRO TROJAN VBS.BackDoor.DuCk.1 Command Output Upload
(trojan.rules)
  2810718 - ETPRO MALWARE Win32/BTmagnat.A CnC Beacon (malware.rules)
  2810719 - ETPRO MALWARE Win32/FlyStudio CnC Beacon 2 (malware.rules)
  2810720 - ETPRO TROJAN BAT/Autorun.FN Variant Dropping Files (trojan.rules)
  2810721 - ETPRO WEB_SPECIFIC_APPS WP DukaPress Dir Traversal Attempt
(web_specific_apps.rules)
  2810722 - ETPRO WEB_SPECIFIC_APPS WP Mobile Edition Dir Traversal
Attempt (web_specific_apps.rules)
  2810723 - ETPRO TROJAN PoisonIvy Keepalive to CnC 140 (trojan.rules)
  2810724 - ETPRO TROJAN PoisonIvy Keepalive to CnC 141 (trojan.rules)
  2810725 - ETPRO TROJAN PoisonIvy Keepalive to CnC 142 (trojan.rules)
  2810726 - ETPRO WEB_SPECIFIC_APPS WP Business Intelligence Lite
1.6.1 SQLi Attempt (web_specific_apps.rules)
  2810727 - ETPRO WEB_SPECIFIC_APPS WorkTheFlow Plugin Arbitrary PHP
File Upload (web_specific_apps.rules)
  2810728 - ETPRO MOBILE_MALWARE Android/SMSreg.AV Checkin 2
(mobile_malware.rules)
  2810729 - ETPRO TROJAN Trojan-Downloader.Banload Connectivity Check
Form1 (trojan.rules)
  2810730 - ETPRO TROJAN Trojan-Downloader.Banload Connectivity Check
(trojan.rules)
  2810731 - ETPRO MOBILE_MALWARE Android/Igexin.A Checkin (mobile_malware.rules)
  2810732 - ETPRO WEB_SPECIFIC_APPS WP N-Media Plugin Arbitrary PHP
File Upload (web_specific_apps.rules)

 [///]     Modified active rules:     [///]

  2806447 - ETPRO TROJAN Win32/Autoit.IT Checkin 1 (trojan.rules)
  2806448 - ETPRO TROJAN Win32/Autoit.IT Checkin 2 (trojan.rules)
Duane Howard | 20 Apr 20:08 2015
Picon

add nocase to content negations?

I've seen a couple of instances of browsers using lower-case for all headers, and thus tripping this alert. Can we make the content negations nocase? Is it worth considering doing this for *all* header content negations?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible HTTP GET Deep Panda C2 Activity"; flow:established,to_server; content:"GET"; http_method; content:".jpg?id="; http_uri; fast_pattern:only; content:!"Accept"; nocase; http_header; content:!"Referer|3a|"; nocase; http_header; pcre:"/\.jpg\?id=\d+$/U"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020379; rev:2;)

Cheers,
./d
<div><div dir="ltr">
<span>I've seen a couple of instances of browsers using lower-case for all headers, and thus tripping this alert. Can we make the content negations nocase? Is it worth considering doing this for *all* header content negations?</span><br><div><span><br></span></div>
<div>
<span>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible HTTP GET Deep Panda C2 Activity"; flow:established,to_server; content:"GET"; http_method; content:".jpg?id="; http_uri; fast_pattern:only; content:!"Accept";</span><span> nocase; </span><span>http_header; content:!"Referer|3a|";&nbsp;</span>nocase; <span>http_header; pcre:"/\.jpg\?id=\d+$/U"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020379; rev:2;)</span>
</div>
<div><span><br></span></div>
<div><span>Cheers,</span></div>
<div><span>./d</span></div>
</div></div>
James Lay | 20 Apr 16:36 2015
Picon

Rule 2002117

Any way we can get a port negation on this?

alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net 
connection reset (possible IP-Ban)"; flags:R,12; 
reference:url,doc.emergingthreats.net/bin/view/Main/2002117; 
classtype:policy-violation; sid:2002117; rev:6;)

Hits on:
04/20-13:26:02.834073  [**] [1:2002117:6] ET GAMES Battle.net 
connection reset (possible IP-Ban) [**] [Classification: Potential 
Corporate Privacy Violation] [Priority: 1] {TCP} x.x.x.x:6112 -> 
x.x.x.x:443

Thanks.

James
Kevin Ross | 20 Apr 15:22 2015

SIGS: ET MALWARE W32/PicColor.Adware

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PicColor.Adware Install CnC Beacon"; flow:established,to_server; content:"/inst2?d="; http_uri; depth:9; content:"&format="; http_uri; classtype:trojan-activity; reference:md5,6b173406ffccaa6d0287b795f8de2073; sid:156611; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PicColor.Adware Update Request CnC Beacon"; flow:established,to_server; content:"/updaterqst?d="; http_uri; depth:14; content:"&format="; http_uri; classtype:trojan-activity; reference:md5,6b173406ffccaa6d0287b795f8de2073; sid:156612; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET MALWARE W32/PicColor.Adware Install CnC Beacon"; flow:established,to_server; content:"/inst2?d="; http_uri; depth:9; content:"&amp;format="; http_uri; classtype:trojan-activity; reference:md5,6b173406ffccaa6d0287b795f8de2073; sid:156611; rev:1;)<br><br>
</div>
<div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET MALWARE W32/PicColor.Adware Update Request CnC Beacon"; flow:established,to_server; content:"/updaterqst?d="; http_uri; depth:14; content:"&amp;format="; http_uri; classtype:trojan-activity; reference:md5,6b173406ffccaa6d0287b795f8de2073; sid:156612; rev:1;)<br><br><br>Kind Regards,<br>Kevin Ross<br>
</div>
</div></div>
Kevin Ross | 17 Apr 15:13 2015

(no subject)

Hi,

A simple signature for this trojan. I am focusing on the fact it is Mozilla/6.0 fake UA which seems to be hardcoded.

# Sample is mentioned in Fireeye Report
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Gamarue.AP CnC Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"/"; http_uri; depth:1; content:"User-Agent|3A| Mozilla/6.0 (compatible|3B| MSIE 6.0|3B| Windows NT 6.1)"; http_header; fast_pattern:21,20; content:!"Referer|3A|"; http_header; classtype:trojan-activity; reference:url,www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; reference:md5,04a35ce286644c9e0f994cc08210a5b4; sid:156711; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr"><div>Hi,<br><br>A simple signature for this trojan. I am focusing on the fact it is Mozilla/6.0 fake UA which seems to be hardcoded.<br><br># Sample is mentioned in Fireeye Report<br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/Gamarue.AP CnC Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"/"; http_uri; depth:1; content:"User-Agent|3A| Mozilla/6.0 (compatible|3B| MSIE 6.0|3B| Windows NT 6.1)"; http_header; fast_pattern:21,20; content:!"Referer|3A|"; http_header; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html">www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html</a>; reference:md5,04a35ce286644c9e0f994cc08210a5b4; sid:156711; rev:1;)<br><br><br>Kind Regards,<br>Kevin Ross<br>
</div></div></div>

Gmane