Francis Trudeau | 13 Feb 00:23 2016
Picon

Daily Ruleset Update Summary 2016/02/12

 [***] Summary: [***]

 9 new Open signatures, 15 new Pro (9 + 6).  CVE-2016-1287, Loxes, PlugX.

 Thanks:   <at> abuse_ch &  <at> rmkml.

 [+++]          Added rules:          [+++]

 Open:

  2022510 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Qadars CnC) (trojan.rules)
  2022511 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Qadars CnC) (trojan.rules)
  2022512 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Qadars CnC) (trojan.rules)
  2022513 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Qadars CnC) (trojan.rules)
  2022514 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gootkit CnC) (trojan.rules)
  2022515 - ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size
Inbound 2 (exploit.rules)
  2022516 - ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size
Inbound 3 (exploit.rules)
  2022517 - ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain
(mobile_malware.rules)
  2022518 - ET EXPLOIT D-Link DCS-930L Remote Command Execution
attempt (exploit.rules)

 Pro:
(Continue reading)

rmkml | 12 Feb 21:46 2016
Picon

Offer a sig for detect last D-Link RCE

Hello,

The http://etplc.org project offer a new sig for detect RCE:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC D-Link DCS-930L Remote
Command Execution attempt"; 
flow:to_server,established; urilen:17; content:"POST"; nocase; http_method;
content:"/setSystemCommand"; nocase; http_uri; 
content:"SystemCommand="; nocase; http_client_body;
reference:url,www.exploit-db.com/exploits/39437/; 
classtype:web-application-attack; sid:1; rev:1;)

Don't forget check vars...

Please comment.

Regards
 <at> Rmkml
Francis Trudeau | 11 Feb 23:42 2016
Picon

Daily Ruleset Update Summary 2016/02/11

 [***] Summary: [***]

 5 new Open signatures, 30 new Pro (5 + 25).  Dridex, CVE-2016-1287, PlugX.

 Thanks:   <at> abuse_ch &  <at> MalwareMustDie.

 [+++]          Added rules:          [+++]

 Open:

  2022505 - ET TROJAN W32/Gaudox Checkin (trojan.rules)
  2022506 - ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size
Inbound (exploit.rules)
  2022507 - ET TROJAN TeslaCrypt/AlphaCrypt Payment DNS Lookup (trojan.rules)
  2022508 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex) (trojan.rules)
  2022509 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex) (trojan.rules)

 Pro:

  2816191 - ETPRO CURRENT_EVENTS USPS Phishing Landing Feb 10
(current_events.rules)
  2816193 - ETPRO TROJAN PCRat/Gh0st CnC Beacon Request (symbol
variant) (trojan.rules)
  2816194 - ETPRO POLICY DNS Query to .onion proxy Domain
(fileinvestpaytor.com) (policy.rules)
  2816195 - ETPRO POLICY DNS Query to .onion proxy Domain
(worldoptionstopaytor.com) (policy.rules)
  2816196 - ETPRO TROJAN PlugX UDP Beacon 1 (trojan.rules)
(Continue reading)

Adnan Shukor | 11 Feb 15:14 2016
Picon
Gravatar

Re: cve-2016-1287

Awesome! Thanks for the prompt reply

Thanks,

--
Adnan
From: Will Metcalf
Sent: Khamis, 11 Februari 2016 10:05 PTG
To: Adnan Shukor
Cc: Emerging Sigs
Subject: Re: [Emerging-Sigs] cve-2016-1287

They will be open rules..

On Thu, Feb 11, 2016 at 8:00 AM, Will Metcalf <wmetcalf <at> emergingthreatspro.com> wrote:
One of our researchers Travis Green cooked up a couple of rules based on the Exodus advisory and the proto spec. the are rules in QA if they clear they will go out with today's set.

Regards,

Will

On Thu, Feb 11, 2016 at 6:44 AM, Adnan Shukor <adnan.shukor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
Hi,

I'm not aware of any ‎cve-2016-1287 signature in open rule. I wonder if it is in pro rule?


Thanks,

--
Adnan


_______________________________________________
Emerging-sigs mailing list
Emerging-sigs-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net





<div>                                                                                      <div>Awesome! Thanks for the prompt reply </div>                                                                                                                                     <div><br></div>                                                                                                                                                                                                   <div>Thanks,<br><br>--<br>Adnan</div>                                                                                                                                                                                  <table width="100%"><tr><td colspan="2">                           <div>  <div>From: Will Metcalf</div>
<div>Sent: Khamis, 11 Februari 2016 10:05 PTG</div>
<div>To: Adnan Shukor</div>
<div>Cc: Emerging Sigs</div>
<div>Subject: Re: [Emerging-Sigs] cve-2016-1287</div>
</div>
</td></tr></table>
<div></div>
<br><div>
<div dir="ltr">They will be open rules..</div>
<div class="gmail_extra">
<br><div class="gmail_quote">On Thu, Feb 11, 2016 at 8:00 AM, Will Metcalf <span dir="ltr">&lt;<a href="mailto:wmetcalf@..." target="_blank">wmetcalf <at> emergingthreatspro.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">
<div dir="ltr">One of our researchers Travis Green cooked up a couple of rules based on the Exodus advisory and the proto spec. the are rules in QA if they clear they will go out with today's set.<div><br></div>
<div>Regards,</div>
<div><br></div>
<div>Will</div>
</div>
<div class="gmail_extra">
<br><div class="gmail_quote">
<div><div class="h5">On Thu, Feb 11, 2016 at 6:44 AM, Adnan Shukor <span dir="ltr">&lt;<a href="mailto:adnan.shukor@..." target="_blank">adnan.shukor@...</a>&gt;</span> wrote:<br>
</div></div>
<blockquote class="gmail_quote">
<div><div class="h5">  <div lang="en-GB">
<div>Hi,</div>
<div><br></div>
<div>I'm not aware of any &lrm;cve-2016-1287 signature in open rule. I wonder if it is in pro rule?</div>
<div><br></div>
<div>Found this writeup earlier: &lrm;<a href="https://blog.exodusintel.com/2016/01/26/firewall-hacking/" target="_blank">https://blog.exodusintel.com/2016/01/26/firewall-hacking/</a>
</div>
<div><br></div>
<div>Thanks,<br><br>--<br>Adnan</div>
<br>
</div>
<br>
</div></div>_______________________________________________<br>
Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@..." target="_blank">Emerging-sigs@...</a><br><a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" rel="noreferrer" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br><br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" rel="noreferrer" target="_blank">http://www.emergingthreats.net</a><br><br><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
</div>
</div>
Adnan Shukor | 11 Feb 13:44 2016
Picon
Gravatar

cve-2016-1287

Hi,

I'm not aware of any ‎cve-2016-1287 signature in open rule. I wonder if it is in pro rule?

Found this writeup earlier: ‎https://blog.exodusintel.com/2016/01/26/firewall-hacking/

Thanks,

--
Adnan

<div>
<div>Hi,</div>
<div><br></div>
<div>I'm not aware of any &lrm;cve-2016-1287 signature in open rule. I wonder if it is in pro rule?</div>
<div><br></div>
<div>Found this writeup earlier: &lrm;https://blog.exodusintel.com/2016/01/26/firewall-hacking/</div>
<div><br></div>
<div>Thanks,<br><br>--<br>Adnan</div>
<br>
</div>
Francis Trudeau | 11 Feb 00:54 2016
Picon

Daily Ruleset Update Summary 2016/02/10

 [***] Summary: [***]

 5 new Open signatures, 23 new Pro (5 + 18).  TeslaCrypt/AlphaCrypt,
Dridex, Nymaim, Sharik/Smoke.

 Thanks:  Kevin Ross and  <at> PietroDelsante.

 [+++]          Added rules:          [+++]

 Open:

  2022500 - ET CURRENT_EVENTS Xbagger Macro Encrypted DL (current_events.rules)
  2022501 - ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Payment
Domain(fwgrhsao3aoml7ej) (trojan.rules)
  2022502 - ET TROJAN Suspicious Accept in HTTP POST - Possible
Alphacrypt/TeslaCrypt (trojan.rules)
  2022503 - ET CURRENT_EVENTS Dridex AlphaNum DL Feb 10 2016
(current_events.rules)
  2022504 - ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon (trojan.rules)

 Pro:

  2816173 - ETPRO TROJAN Malicious SSL certificate detected
(Backdoor.Mizzmo) (trojan.rules)
  2816174 - ETPRO MALWARE Win32/Zlob.APW Checkin (malware.rules)
  2816175 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.hd
Checkin (mobile_malware.rules)
  2816176 - ETPRO TROJAN Malicious SSL certificate detected
(Backdoor.Mizzmo) (trojan.rules)
  2816177 - ETPRO TROJAN W32/Nymaim Checkin 4 (trojan.rules)
  2816178 - ETPRO TROJAN Malicious SSL certificate detected
(Backdoor.Mizzmo) (trojan.rules)
  2816179 - ETPRO TROJAN Malicious SSL certificate detected
(Backdoor.Mizzmo) (trojan.rules)
  2816180 - ETPRO TROJAN Backdoor.Mizzmo CnC Beacon 3 (trojan.rules)
  2816181 - ETPRO TROJAN Backdoor.Mizzmo Service-Proxied CnC Beacon
(trojan.rules)
  2816182 - ETPRO TROJAN PoisonIvy Keepalive to CnC 294 (trojan.rules)
  2816183 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.hf Checkin
(mobile_malware.rules)
  2816184 - ETPRO MOBILE_MALWARE Android.Trojan.Deviceadmin.Auto
Checkin (mobile_malware.rules)
  2816185 - ETPRO MOBILE_MALWARE Android.Trojan.Deviceadmin.Auto
Checkin 2 (mobile_malware.rules)
  2816186 - ETPRO TROJAN Dipsind POST CnC Beacon (trojan.rules)
  2816187 - ETPRO TROJAN Dipsind GET CnC Beacon 1 (trojan.rules)
  2816188 - ETPRO TROJAN Dipsind GET CnC Beacon 2 (trojan.rules)
  2816189 - ETPRO TROJAN Dipsind GET CnC Beacon 3 (trojan.rules)
  2816190 - ETPRO TROJAN Sharik/Smoke CnC Beacon 6 (trojan.rules)

 [///]     Modified active rules:     [///]

  2013184 - ET TROJAN Artro Downloader User-Agent Detected (trojan.rules)
  2020470 - ET TROJAN Dridex POST Retrieving Second Stage (trojan.rules)
  2020825 - ET TROJAN Dridex POST Retrieving Second Stage M2 (trojan.rules)
  2021001 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M6
(current_events.rules)
  2804439 - ETPRO TROJAN Worm.Win32.Qvod Install (trojan.rules)
  2812394 - ETPRO TROJAN Dropper.Dapato Retrieving js (trojan.rules)
  2812818 - ETPRO TROJAN Backdoor.Telnneru CnC Beacon (INBOUND) 3 (trojan.rules)
  2815723 - ETPRO EXPLOIT MS16-007 Office DLL Loading RCE M2
(CVE-2016-0018) (exploit.rules)
  2815835 - ETPRO TROJAN Derusbi Variant CnC Beacon (trojan.rules)
  2816166 - ETPRO TROJAN Backdoor.Mizzmo CnC Beacon Response (trojan.rules)

 [---]  Disabled and modified rules:  [---]

  2001329 - ET POLICY RDP connection request (policy.rules)
  2001331 - ET POLICY RDP disconnect request (policy.rules)
  2003286 - ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request
(Windows Source) (malware.rules)
  2003287 - ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request
(Linux Source) (malware.rules)
  2020630 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020631 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020632 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020633 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020659 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020660 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020662 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020663 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020664 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020665 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020666 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020667 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020668 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020669 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020995 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M0
(current_events.rules)
  2020996 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M1
(current_events.rules)
  2020997 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M2
(current_events.rules)
  2021000 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M5
(current_events.rules)
  2021002 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M7
(current_events.rules)
  2021003 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M8
(current_events.rules)
  2021004 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M9
(current_events.rules)
  2021124 - ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server
(exploit.rules)
  2021125 - ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server
(exploit.rules)
  2800107 - ETPRO EXPLOIT HP OpenView Products OVTrace Service Stack
Buffer Overflow (exploit.rules)
  2800500 - ETPRO EXPLOIT Dnsmasq TFTP Service Remote Heap Buffer
Overflow (exploit.rules)
  2800549 - ETPRO EXPLOIT MIT Kerberos KDC Authentication Denial of
Service (exploit.rules)
  2800567 - ETPRO SQL Oracle MySQL Database COM_FIELD_LIST Buffer
Overflow (sql.rules)
  2800685 - ETPRO EXPLOIT Sun Directory Server LDAP Denial of Service
(exploit.rules)
  2800720 - ETPRO EXPLOIT IBM Lotus Domino LDAP Server Memory
Exception Vulnerability via ASN.1 (exploit.rules)
  2801379 - ETPRO EXPLOIT Novell ZENworks Configuration Management
TFTPD Remote Code Execution 1 (exploit.rules)
  2801957 - ETPRO TROJAN Backdoor.Win32.Mooplids.A Checkin 2 (trojan.rules)
  2802206 - ETPRO EXPLOIT HP Intelligent Management Center TFTP Server
MODE Remote Code Execution 2 (exploit.rules)
  2809906 - ETPRO TROJAN Dridex Post Checkin Activity 5 (trojan.rules)

 [---]         Removed rules:         [---]

  2020999 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M4
(current_events.rules)
  2810561 - ETPRO TROJAN Win32/TrojanDownloader.Banload.VKN CnC Beacon
(trojan.rules)
  2815533 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Dec 30
2015 M1 (fb set) (current_events.rules)
  2815770 - ETPRO TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon
(trojan.rules)
Morris, Andi | 10 Feb 11:02 2016
Picon

Potential Shadowserver false positive

Hi,

I’ve been seeing a lot of triggers from Android clients with rule 2404057.

 

alert udp $HOME_NET any -> [46.165.193.136,46.165.218.165,46.249.42.14,46.28.110.163,46.45.166.212,46.45.190.57,5.135.186.30,5.154.238.204,5.196.12.25,5.196.26.138] any (msg:"ET CNC Shadowserver Reported CnC Server UDP group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404057; rev:4122;)

 

Upon further investigation and talks with the people at Janet CSIRT it appears that the IP address 46.249.42.14 is actually part of the global NTP pool:

first_seen                 | rrname                    | rdata        | ttl | count | type |

2016-02-05 00:00:22.894403 | 2.pool.ntp.org            | 46.249.42.14 | 150 | 7     | a    |

2016-02-05 00:15:31.601605 | 0.pool.ntp.org            | 46.249.42.14 | 150 | 13    | a    |

2016-02-05 00:44:46.351943 | 0.clearswift.pool.ntp.org | 46.249.42.14 | 150 | 4     | a    |

2016-02-05 00:59:05.935552 | pool.ntp.org              | 46.249.42.14 | 150 | 3     | a    |

2016-02-05 01:52:07.695216 | 2.android.pool.ntp.org    | 46.249.42.14 | 150 | 9     | a    |

2016-02-05 02:11:51.687746 | 1.pool.ntp.org            | 46.249.42.14 | 150 | 5     | a    |

2016-02-05 05:05:26.829542 | 1.europe.pool.ntp.org     | 46.249.42.14 | 150 | 4     | a    |

2016-02-05 07:00:57.853316 | europe.pool.ntp.org       | 46.249.42.14 | 150 | 4     | a    |

2016-02-05 09:54:49.111423 | 3.europe.pool.ntp.org     | 46.249.42.14 | 150 | 1     | a    |

2016-02-05 10:40:48.397015 | 3.pool.ntp.org            | 46.249.42.14 | 150 | 2     | a    |

2016-02-05 11:00:25.444429 | 2.ubuntu.pool.ntp.org     | 46.249.42.14 | 150 | 1     | a    |

2016-02-05 11:36:41.187287 | 0.europe.pool.ntp.org     | 46.249.42.14 | 150 | 1     | a    |

 

I can also confirm that the alerts triggers are hitting this server on port 123.

 

I’m happy to modify this rule locally to avoid the false positive, however I thought I’d send an email to you guys in case you want to modify the rule globally for the wider community.

 

Cheers,

Andi

 

 

-------------------------------------

Andi Morris

IT Security Officer
Cardiff Metropolitan University

T: 02920 205720
E: amorris <at> cardiffmet.ac.uk

--------------------------------------

 


<div>
<div>
<p class="MsoNormal">
Hi,</p>
<p class="MsoNormal">
I&rsquo;ve been seeing a lot of triggers from Android clients with rule 2404057.</p>
<p class="MsoNormal">
&nbsp;</p>
<p class="MsoNormal">
alert udp $HOME_NET any -&gt; [46.165.193.136,46.165.218.165,46.249.42.14,46.28.110.163,46.45.166.212,46.45.190.57,5.135.186.30,5.154.238.204,5.196.12.25,5.196.26.138] any (msg:"ET CNC Shadowserver Reported CnC Server UDP group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC;
 reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404057; rev:4122;)</p>
<p class="MsoNormal">
&nbsp;</p>
<p class="MsoNormal">
Upon further investigation and talks with the people at Janet CSIRT it appears that the IP address 46.249.42.14 is actually part of the global NTP pool:</p>
<p class="MsoPlainText">
first_seen&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | rrname&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | rdata&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | ttl | count | type |</p>
<p class="MsoPlainText">
2016-02-05 00:00:22.894403 | 2.pool.ntp.org&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | 46.249.42.14 | 150 | 7&nbsp;&nbsp;&nbsp;&nbsp; | a&nbsp;&nbsp;&nbsp; |</p>
<p class="MsoPlainText">
2016-02-05 00:15:31.601605 | 0.pool.ntp.org&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | 46.249.42.14 | 150 | 13&nbsp;&nbsp;&nbsp; | a&nbsp;&nbsp;&nbsp; |</p>
<p class="MsoPlainText">
2016-02-05 00:44:46.351943 | 0.clearswift.pool.ntp.org | 46.249.42.14 | 150 | 4&nbsp;&nbsp;&nbsp;&nbsp; | a&nbsp;&nbsp;&nbsp; |</p>
<p class="MsoPlainText">
2016-02-05 00:59:05.935552 | pool.ntp.org&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | 46.249.42.14 | 150 | 3&nbsp;&nbsp;&nbsp;&nbsp; | a&nbsp;&nbsp;&nbsp; |</p>
<p class="MsoPlainText">
2016-02-05 01:52:07.695216 | 2.android.pool.ntp.org&nbsp;&nbsp;&nbsp; | 46.249.42.14 | 150 | 9&nbsp;&nbsp;&nbsp;&nbsp; | a&nbsp;&nbsp;&nbsp; |</p>
<p class="MsoPlainText">
2016-02-05 02:11:51.687746 | 1.pool.ntp.org&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;| 46.249.42.14 | 150 | 5&nbsp;&nbsp;&nbsp;&nbsp; | a&nbsp;&nbsp;&nbsp; |</p>
<p class="MsoPlainText">
2016-02-05 05:05:26.829542 | 1.europe.pool.ntp.org&nbsp;&nbsp;&nbsp;&nbsp; | 46.249.42.14 | 150 | 4&nbsp;&nbsp;&nbsp;&nbsp; | a&nbsp;&nbsp;&nbsp; |</p>
<p class="MsoPlainText">
2016-02-05 07:00:57.853316 | europe.pool.ntp.org&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | 46.249.42.14 | 150 | 4&nbsp;&nbsp;&nbsp;&nbsp; | a&nbsp;&nbsp;&nbsp; |</p>
<p class="MsoPlainText">
2016-02-05 09:54:49.111423 | 3.europe.pool.ntp.org&nbsp;&nbsp;&nbsp;&nbsp; | 46.249.42.14 | 150 | 1&nbsp;&nbsp;&nbsp;&nbsp; | a&nbsp;&nbsp;&nbsp; |</p>
<p class="MsoPlainText">
2016-02-05 10:40:48.397015 | 3.pool.ntp.org&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | 46.249.42.14 | 150 | 2&nbsp;&nbsp;&nbsp;&nbsp; | a&nbsp;&nbsp;&nbsp; |</p>
<p class="MsoPlainText">
2016-02-05 11:00:25.444429 | 2.ubuntu.pool.ntp.org&nbsp;&nbsp;&nbsp;&nbsp; | 46.249.42.14 | 150 | 1&nbsp;&nbsp;&nbsp;&nbsp; | a&nbsp;&nbsp;&nbsp; |</p>
<p class="MsoPlainText">
2016-02-05 11:36:41.187287 | 0.europe.pool.ntp.org&nbsp;&nbsp;&nbsp;&nbsp; | 46.249.42.14 | 150 | 1&nbsp;&nbsp;&nbsp;&nbsp; | a&nbsp;&nbsp;&nbsp; |</p>
<p class="MsoNormal">
&nbsp;</p>
<p class="MsoNormal">
I can also confirm that the alerts triggers are hitting this server on port 123.</p>
<p class="MsoNormal">
&nbsp;</p>
<p class="MsoNormal">
I&rsquo;m happy to modify this rule locally to avoid the false positive, however I thought I&rsquo;d send an email to you guys in case you want to modify the rule globally for the wider community.</p>
<p class="MsoNormal">
&nbsp;</p>
<p class="MsoNormal">
Cheers,</p>
<p class="MsoNormal">
Andi</p>
<p class="MsoNormal">
&nbsp;</p>
<p class="MsoNormal">
&nbsp;</p>
<p class="MsoNormal">
-------------------------------------</p>
<p class="MsoNormal">
Andi Morris</p>
<p class="MsoNormal">
IT Security Officer<br>
Cardiff Metropolitan University</p>
<p class="MsoNormal">
T: 02920 205720<br>
E:&nbsp;<a href="mailto:amorris@..." target="_blank"><span>amorris <at> cardiffmet.ac.uk</span></a></p>
<p class="MsoNormal">
--------------------------------------</p>
<p class="MsoNormal">
&nbsp;</p>
</div>
<br><a href="http://www.cardiffmet.ac.uk/cardiffmet150" target="_blank"></a>
</div>
Kevin Ross | 10 Feb 10:56 2016

SIG: ET TROJAN W32/TeslaCrypt.Ransom CnC Beacon 2

Hi,

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/TeslaCrypt.Ransom CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:!"Referer|3A|"; http_header; content:"data=";  http_client_body; depth:5; pcre:"/^data\x3D[A-F0-9]{100,}$/P"; classtype:trojan-activity; reference:md5,35a6de1e8dbea19bc44cf49ae0cae59e; sid:189211; rev:1;)


Kind Regards,
Kevin Ross


- Has a very odd Accept header although I wasn't really sure a good way to go about including that in the sig:



<div><div dir="ltr"><div>Hi,<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/TeslaCrypt.Ransom CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:!"Referer|3A|"; http_header; content:"data=";&nbsp; http_client_body; depth:5; pcre:"/^data\x3D[A-F0-9]{100,}$/P"; classtype:trojan-activity; reference:md5,35a6de1e8dbea19bc44cf49ae0cae59e; sid:189211; rev:1;)<br><br><br>Kind Regards,<br>Kevin Ross<br><br><br>- Has a very odd Accept header although I wasn't really sure a good way to go about including that in the sig:<br><br><br><br>
</div></div></div>
Kevin Ross | 9 Feb 12:24 2016

SIG: ET CURRENT_EVENTS Dridex MalDoc Encrypted Executable Payload 9th Feb 2016

Started seeing this today. Payload is dridex and here is an example of one of the docs: https://hybrid-analysis.com/sample/f820318a5862270b5dad569338a14fd9b1cbdb5a0835a4329617d4109cebf7b6?environmentId=4. The documents seem to be changing and now instead of the usual patterns it is taking up the jpg request with encrypted payload download.This is just a quick sig to detect the header and not sure how much of this will be static across campaigns but it should help for now. Also the document is required to execute the payload.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dridex MalDoc Encrypted Executable Download 9th Feb 2016"; flow:established,to_client; content:"Content-Type|3A| image/jpeg"; http_header; file_data; content:"|06 1E D4 44 47 44 44 44 40 44 44 44 BB BB 44 44 FC 44 44 44 44 44 44 44 04 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 9C 44 44 44 4A 5B FE 4A|"; within:68; classtype:trojan-activity; reference:md5,a4816f457cbe3062d91682de41b6005c; sid:1670121; rev:1;)

Kind Regards,
Kevin Ross

Request example:


Payload example:


Request 2:




<div><div dir="ltr">
<div>Started seeing this today. Payload is dridex and here is an example of one of the docs:&nbsp;<a href="https://hybrid-analysis.com/sample/f820318a5862270b5dad569338a14fd9b1cbdb5a0835a4329617d4109cebf7b6?environmentId=4">https://hybrid-analysis.com/sample/f820318a5862270b5dad569338a14fd9b1cbdb5a0835a4329617d4109cebf7b6?environmentId=4</a>. The documents seem to be changing and now instead of the usual patterns it is taking up the jpg request with encrypted payload download.This is just a quick sig to detect the header and not sure how much of this will be static across campaigns but it should help for now. Also the document is required to execute the payload.</div>
<div><br></div>alert http $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"ET CURRENT_EVENTS Dridex MalDoc Encrypted Executable Download 9th Feb 2016"; flow:established,to_client; content:"Content-Type|3A| image/jpeg"; http_header; file_data; content:"|06 1E D4 44 47 44 44 44 40 44 44 44 BB BB 44 44 FC 44 44 44 44 44 44 44 04 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 9C 44 44 44 4A 5B FE 4A|"; within:68; classtype:trojan-activity; reference:md5,a4816f457cbe3062d91682de41b6005c; sid:1670121; rev:1;)<div><br></div>
<div>Kind Regards,</div>
<div>Kevin Ross<br><div><br></div>
<div>Request example:</div>
<div><br></div>
</div>
<div><br></div>
<div>Payload example:</div>
<div><br></div>
<div><br></div>
<div>Request 2:</div>
<div><br></div>
<div><br></div>
<div><br></div>
<div><br></div>
</div></div>
Francis Trudeau | 9 Feb 00:13 2016
Picon

Daily Ruleset Update Summary 2016/02/08

 [***] Summary: [***]

 6 new Open signatures, 27 new Pro (6 + 21).  Chinoxy, Ursnif, SteamStealer.

 Thanks:  Kevin Ross,  <at> jeffhammett &  <at> esentire.

 [+++]          Added rules:          [+++]

 Open:

  2022494 - ET TROJAN Win32/LockScreen CnC HTTP Pattern (trojan.rules)
  2022495 - ET TROJAN Win32/HydraCrypt CnC Beacon 1 (trojan.rules)
  2022496 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 07
2016 (current_events.rules)
  2022497 - ET CURRENT_EVENTS Successful Apple Phish Feb 6th M1
(current_events.rules)
  2022498 - ET CURRENT_EVENTS Successful Apple Phish Feb 6th M2
(current_events.rules)
  2022499 - ET CURRENT_EVENTS Successful Apple Phish Feb 6th M3
(current_events.rules)

 Pro:

  2816102 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Feb
8 (current_events.rules)
  2816103 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2816104 - ETPRO TROJAN Possible Chinoxy Receiving Alternative CnC
(trojan.rules)
  2816105 - ETPRO TROJAN Chinoxy GET CnC Beacon (trojan.rules)
  2816106 - ETPRO TROJAN Chinoxy POST CnC Beacon (trojan.rules)
  2816107 - ETPRO TROJAN Chinoxy TCP CnC Beacon (trojan.rules)
  2816108 - ETPRO TROJAN Chinoxy TCP CnC Beacon Response (trojan.rules)
  2816109 - ETPRO MALWARE W32/Mostar Checkin (malware.rules)
  2816110 - ETPRO TROJAN Sylavriu.A/TorCT RAT CnC Checkin (trojan.rules)
  2816111 - ETPRO CURRENT_EVENTS Common /mpp/ Phishing URI Structure
Feb 8 (current_events.rules)
  2816112 - ETPRO POLICY DNS Query to .onion proxy Domain
(billingdetros.com) (policy.rules)
  2816113 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2016-02-08 1) (trojan.rules)
  2816114 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2016-02-08 2) (trojan.rules)
  2816115 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(QW5vbnltb3VzQ29pbmVyX0JvdDI6Yml0Y29pbm1pbmVyMg==) (trojan.rules)
  2816116 - ETPRO TROJAN SteamStealer Item Value Check (trojan.rules)
  2816117 - ETPRO TROJAN Win32/Pottieq.A Ransomware CnC Checkin (trojan.rules)
  2816118 - ETPRO TROJAN Win32/Pottieq.A Ransomware CnC Crypted Files
(trojan.rules)
  2816119 - ETPRO CURRENT_EVENTS Successful DHL Phish Feb 8
(current_events.rules)
  2816120 - ETPRO CURRENT_EVENTS DHL Phish Landing Feb 8 (current_events.rules)
  2816121 - ETPRO TROJAN Possible Ransomware Variant .onion Proxy
Domain (trojan.rules)
  2816122 - ETPRO TROJAN W32/Unknown Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2813009 - ETPRO CURRENT_EVENTS DHL Phish Landing Sept 14
(current_events.rules)
  2815778 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
(set) Jan 14 (current_events.rules)
  2815804 - ETPRO CURRENT_EVENTS Possible Nuclear EK Landing URI
Struct Jan 14 M1 (current_events.rules)
  2815805 - ETPRO CURRENT_EVENTS Possible Nuclear EK Landing URI
Struct Jan 14 M2 (current_events.rules)
  2815806 - ETPRO CURRENT_EVENTS Possible Nuclear EK Landing URI
Struct Jan 14 M3 (current_events.rules)
  2815817 - ETPRO CURRENT_EVENTS Possible Nuclear EK Flash URI Struct
Jan 14 M1 (current_events.rules)
  2815818 - ETPRO CURRENT_EVENTS Possible Nuclear EK Flash URI Struct
Jan 14 M2 (current_events.rules)

 [---]         Removed rules:         [---]

  2021760 - ET CURRENT_EVENTS PHISH Generic Webmail - Landing Page
Sept 11 (current_events.rules)
  2811431 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz) (trojan.rules)
  2815910 - ETPRO TROJAN Win32/LockScreen CnC HTTP Pattern (trojan.rules)
  2816076 - ETPRO TROJAN Win32/HydraCrypt CnC Beacon 1 (trojan.rules)
Francis Trudeau | 6 Feb 01:14 2016
Picon

Daily Ruleset Update Summary 2016/02/05

 [***] Summary: [***]

 1 new Open signature, 8 new Pro (1 + 7).  PlasmaRAT, PoisonIvy, Escelar.

 [+++]          Added rules:          [+++]

 Open:

  2022493 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 05
2016 (current_events.rules)

 Pro:

  2816091 - ETPRO TROJAN PlasmaRAT Variant Checkin (trojan.rules)
  2816092 - ETPRO TROJAN PoisonIvy Keepalive to CnC 293 (trojan.rules)
  2816096 - ETPRO CURRENT_EVENTS Possible Websc Phishing Page Feb 5
(current_events.rules)
  2816097 - ETPRO TROJAN Win32/Rogue Browser Extension Installer
Checkin (trojan.rules)
  2816099 - ETPRO CURRENT_EVENTS Successful USAA Phish Feb 5 M1
(current_events.rules)
  2816100 - ETPRO CURRENT_EVENTS Successful USAA Phish Feb 5 M2
(current_events.rules)
  2816101 - ETPRO TROJAN Possible Escelar MSSQL Cert (trojan.rules)

 [///]     Modified active rules:     [///]

  2011582 - ET POLICY Vulnerable Java Version 1.6.x Detected (policy.rules)
  2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)
  2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)

Gmane