rmkml | 30 Oct 11:14 2014
Picon

Offered a new sig for detecting ftp rce via http redirect location pipe

Hi,

Etplc project offered a new sig for detecting ftp rce via http redirect location pipe :

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FTP NetBSDv7.99.1 or
MacOSXv10.10 or FreeBSDv10 Remote Command Execution pipe 
via Location header attempt"; flow:to_client,established; content:"Location\:"; nocase;
http_header; content:"|7C|"; within:100; 
distance:0; http_header; pcre:"/^Location\:[^\n]{0,100}?\x7c/Hsmi"; reference:cve,2014-8517; 
reference:url,cxsecurity.com/issue/WLB-2014100174; classtype:web-application-activity;
sid:1; rev:1;)

Don't forget check $EXTERNAL_NET or $HTTP_PORTS or $HOME_NET.

Feedbacks is welcome.

Regards
 <at> Rmkml

PS: http://etplc.org project.
Francis Trudeau | 29 Oct 23:26 2014
Picon

Daily Ruleset Update Summary 10/29/2014

 [***] Summary: [***]

 15 new Open signatures, 19 new Pro (15+4).  Sofacy, PoisonIvy, W32/ZxShell.

 Thanks:  Kevin Ross, Eoin Miller and  <at> rmkml

 [+++]          Added rules:          [+++]

 Open:

  2019585 - ET TROJAN Sofacy HTTP Request msonlinelive.com (trojan.rules)
  2019586 - ET TROJAN Sofacy DNS Lookup msonlinelive.com (trojan.rules)
  2019587 - ET TROJAN W32/ZxShell Server Checkin Response (trojan.rules)
  2019588 - ET TROJAN W32/ZxShell Checkin (trojan.rules)
  2019589 - ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN
Variant) (trojan.rules)
  2019590 - ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN
Variant) (trojan.rules)
  2019591 - ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN
Variant) (trojan.rules)
  2019592 - ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN
Variant) (trojan.rules)
  2019593 - ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN
Variant) (trojan.rules)
  2019594 - ET CURRENT_EVENTS FlashPack EK Plugin-Detect Post
(current_events.rules)
  2019595 - ET CURRENT_EVENTS FlashPack Payload Download Oct 29
(current_events.rules)
  2019596 - ET CURRENT_EVENTS FlashPack Secondary Landing Oct 29
(current_events.rules)
(Continue reading)

rmkml | 29 Oct 17:02 2014
Picon

New Elasticsearch Connector for ETPLC project.

Hi,

I'm proud to announce a new Elasticsearch Connector for my http://etplc.org project.

The new Connector retrieve proxy or web server logs since Elasticsearch in realtime and send to etplc for
checking Threats!
(need few parameters checking)

http://etplc.org/elasticsearch.html
http://etplc.org/download.html
http://etplc.org/

Example:
"perl etplc_elasticsearch_29oct2014.pl | perl etplc_15oct2014a.pl -f emergingall_sigs28oct2014a_snort290b.rules"

or Python v2:
"perl etplc_elasticsearch_29oct2014.pl | python2 etplc_15oct2014a.py2 -f emergingall_sigs28oct2014a_snort290b.rules"

All Feedbacks is welcome.

Thx you Community and  <at> EmergingThreats Open Signature.

Best Regards
 <at> Rmkml
Kevin Ross | 29 Oct 10:16 2014
Francis Trudeau | 29 Oct 00:48 2014
Picon

Daily Ruleset Update Summary 10/28/2014

 [***] Summary: [***]

 52 New Open signatures, 59 new Pro (52+7).  OLDBAIT, Sofacy, SweetOrange EK.

 Thanks:   <at> rmkml,  <at> jaimeblascob,  <at> PwC_LLC and  <at> kafeine.

 [+++]          Added rules:          [+++]

 Open:

  2019524 - ET WEB_SPECIFIC_APPS BASE base_stat_common.php remote file
include (web_specific_apps.rules)
  2019526 - ET WEB_SERVER WEB-PHP phpinfo access (web_server.rules)
  2019534 - ET TROJAN OLDBAIT Checkin (trojan.rules)
  2019535 - ET TROJAN OLDBAIT Checkin sptr (trojan.rules)
  2019536 - ET TROJAN OLDBAIT Checkin 2 brvc (trojan.rules)
  2019537 - ET TROJAN Win32/Chopstick Checkin (APT28 Related) (trojan.rules)
  2019538 - ET TROJAN Ransom.Win32.Blocker.fwlm Checkin (trojan.rules)
  2019539 - ET TROJAN Win32/Coreshell Checkin (APT28 Related) (trojan.rules)
  2019540 - ET CURRENT_EVENTS Potential Sofacy Phishing Redirect
(current_events.rules)
  2019541 - ET CURRENT_EVENTS Potential Sofacy Phishing Redirect
(current_events.rules)
  2019542 - ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit
Struct (JAR) (current_events.rules)
  2019543 - ET CURRENT_EVENTS Likely SweetOrange EK Flash Exploit URI
Struct (current_events.rules)
  2019544 - ET CURRENT_EVENTS Possible Sweet Orange Flash/IE Payload
Request (current_events.rules)
  2019545 - ET TROJAN Sofacy Request Outbound (trojan.rules)
  2019546 - ET TROJAN Sofacy HTTP Request adawareblock .com (trojan.rules)
  2019547 - ET TROJAN Sofacy HTTP Request adobeincorp .com (trojan.rules)
  2019548 - ET TROJAN Sofacy HTTP Request azureon-line .com (trojan.rules)
  2019549 - ET TROJAN Sofacy HTTP Request checkmalware .info (trojan.rules)
  2019550 - ET TROJAN Sofacy HTTP Request checkwinframe .com (trojan.rules)
  2019551 - ET TROJAN Sofacy HTTP Request check-fix .com (trojan.rules)
  2019552 - ET TROJAN Sofacy HTTP Request hotfix-update .com (trojan.rules)
  2019553 - ET TROJAN Sofacy HTTP Request microsofi .org (trojan.rules)
  2019554 - ET TROJAN Sofacy HTTP Request microsof-update .com (trojan.rules)
  2019555 - ET TROJAN Sofacy HTTP Request scanmalware .info (trojan.rules)
  2019556 - ET TROJAN Sofacy HTTP Request secnetcontrol .com (trojan.rules)
  2019557 - ET TROJAN Sofacy HTTP Request securitypractic .com (trojan.rules)
  2019558 - ET TROJAN Sofacy HTTP Request testservice24 .net (trojan.rules)
  2019559 - ET TROJAN Sofacy HTTP Request testsnetcontrol .com (trojan.rules)
  2019560 - ET TROJAN Sofacy HTTP Request updatepc .org (trojan.rules)
  2019561 - ET TROJAN Sofacy HTTP Request updatesoftware24 .com (trojan.rules)
  2019562 - ET TROJAN Sofacy HTTP Request windows-updater .com (trojan.rules)
  2019563 - ET TROJAN Sofacy HTTP Request checkmalware .org (trojan.rules)
  2019564 - ET TROJAN Sofacy DNS Lookup adawareblock .com (trojan.rules)
  2019565 - ET TROJAN Sofacy DNS Lookup adobeincorp .com (trojan.rules)
  2019566 - ET TROJAN Sofacy DNS Lookup azureon-line .com (trojan.rules)
  2019567 - ET TROJAN Sofacy DNS Lookup checkmalware .info (trojan.rules)
  2019568 - ET TROJAN Sofacy DNS Lookup checkwinframe .com (trojan.rules)
  2019569 - ET TROJAN Sofacy DNS Lookup check-fix .com (trojan.rules)
  2019570 - ET TROJAN Sofacy DNS Lookup hotfix-update .com (trojan.rules)
  2019571 - ET TROJAN Sofacy DNS Lookup microsofi .org (trojan.rules)
  2019572 - ET TROJAN Sofacy DNS Lookup microsof-update .com (trojan.rules)
  2019573 - ET TROJAN Sofacy DNS Lookup scanmalware .info (trojan.rules)
  2019574 - ET TROJAN Sofacy DNS Lookup secnetcontrol .com (trojan.rules)
  2019575 - ET TROJAN Sofacy DNS Lookup securitypractic .com (trojan.rules)
  2019576 - ET TROJAN Sofacy DNS Lookup symanttec .org (trojan.rules)
  2019577 - ET TROJAN Sofacy DNS Lookup testservice24 .net (trojan.rules)
  2019578 - ET TROJAN Sofacy DNS Lookup testsnetcontrol .com (trojan.rules)
  2019579 - ET TROJAN Sofacy DNS Lookup updatepc .org (trojan.rules)
  2019580 - ET TROJAN Sofacy DNS Lookup updatesoftware24 .com (trojan.rules)
  2019581 - ET TROJAN Sofacy DNS Lookup windows-updater .com (trojan.rules)
  2019582 - ET TROJAN Sofacy DNS Lookup checkmalware .org (trojan.rules)
  2019583 - ET TROJAN Sofacy HTTP Request symanttec .org (trojan.rules)

 Pro:

  2809080 - ETPRO EXPLOIT DotNetNuke DNNspot Store 3.0.0 File Upload
(exploit.rules)
  2809081 - ETPRO MOBILE_MALWARE Android/Lxsj.A Checkin (mobile_malware.rules)
  2809082 - ETPRO EXPLOIT Mulesoft ESB Runtime 3.5.1 Privilege
Escalation (exploit.rules)
  2809084 - ETPRO TROJAN Infostealer.Limitail Stealing Info Via HTTP
(trojan.rules)
  2809085 - ETPRO TROJAN Trojan.Win32.Sefnit.C Install (trojan.rules)
  2809086 - ETPRO WEB_SPECIFIC_APPS CreativeContact Plugin Arbitrary
File Upload (web_specific_apps.rules)
  2809087 - ETPRO TROJAN Trojan.Alnaddy Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2011488 - ET FTP Suspicious Quotation Mark Usage in FTP Username (ftp.rules)
  2017648 - ET CURRENT_EVENTS Possible Sweet Orange payload Request
(current_events.rules)
  2019418 - ET CURRENT_EVENTS SSL excessive fatal alerts (possible
POODLE attack against server) (current_events.rules)
  2806561 - ETPRO POLICY Ultrasurf Proxy Anonymizer TLS ClientHello
Attempt (policy.rules)
  2809030 - ETPRO TROJAN Possibly Malicious DNS TXT Response Contains
URL (trojan.rules)

 [///]    Modified inactive rules:    [///]

  2008547 - ET TROJAN PECompact2 Packed Binary - Sometimes Hostile
(trojan.rules)

 [---]         Removed rules:         [---]

  2805844 - ETPRO TROJAN Cryp_Xin2/Clicker.Win32.Small.zy Checkin 1
sptr (trojan.rules)
  2805845 - ETPRO TROJAN Cryp_Xin2/Clicker.Win32.Small.zy Checkin 2
brvc (trojan.rules)
  2809067 - ETPRO TROJAN Win32/Sednit.L Checkin (trojan.rules)
Kevin Ross | 28 Oct 23:57 2014

SIGS: ET TROJAN APT28 SIGS

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/CoreShell.APT28 Downloader CnC Beacon"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"/check/"; http_uri; depth:7; content:"User-Agent|3A| MSIE 8.0|0D 0A|"; http_header; classtype:trojan-activity; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; sid:139921; rev:1;)

# only ai is not randomly generated according to the report. The UA in the report has Windows NT 6.; though which is a good indicator too with the .; and same in V1
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Chopstick.APT28 Version 2 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/search/?"; http_uri; content:"&ai="; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B|; http_header; fast_pattern:24,16; classtype:trojan-activity; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; sid:139922; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Chopstick.APT28 Version 1 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/webhp?"; http_uri; content:"&ai="; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B|; http_header; fast_pattern:24,16; classtype:trojan-activity; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; sid:139923; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OldBait.APT28 Credential Harvester CnC Beacon"; flow:established,to_server; urilen:10; content:"POST"; http_method; content:"/index.php"; http_uri; depth:10; content:"prefs="; http_client_body; depth:6; classtype:trojan-activity; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; sid:139924; rev:1;)

Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/CoreShell.APT28 Downloader CnC Beacon"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"/check/"; http_uri; depth:7; content:"User-Agent|3A| MSIE 8.0|0D 0A|"; http_header; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/resources/pdfs/apt28.pdf">www.fireeye.com/resources/pdfs/apt28.pdf</a>; sid:139921; rev:1;)<br><br># only ai is not randomly generated according to the report. The UA in the report has Windows NT 6.; though which is a good indicator too with the .; and same in V1<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Chopstick.APT28 Version 2 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/search/?"; http_uri; content:"&amp;ai="; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B|; http_header; fast_pattern:24,16; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/resources/pdfs/apt28.pdf">www.fireeye.com/resources/pdfs/apt28.pdf</a>; sid:139922; rev:1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Chopstick.APT28 Version 1 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/webhp?"; http_uri; content:"&amp;ai="; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B|; http_header; fast_pattern:24,16; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/resources/pdfs/apt28.pdf">www.fireeye.com/resources/pdfs/apt28.pdf</a>; sid:139923; rev:1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OldBait.APT28 Credential Harvester CnC Beacon"; flow:established,to_server; urilen:10; content:"POST"; http_method; content:"/index.php"; http_uri; depth:10; content:"prefs="; http_client_body; depth:6; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/resources/pdfs/apt28.pdf">www.fireeye.com/resources/pdfs/apt28.pdf</a>; sid:139924; rev:1;)<br><br>
</div>Kind Regards,<br>Kevin Ross<br>
</div></div>
Jake Warren | 28 Oct 19:29 2014

APT28 & Sofacy Community Sigs

Thought I would share these just in case you guys hadn't seen them yet.

APT28 sigs from <at> da_667:
http://pastebin.com/91sEPnJ7

Sofacy sigs from PWC:
http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf

Regards,
Jake Warren
<div><div dir="ltr">
<div>
<div>Thought I would share these just in case you guys hadn't seen them yet.<br><br>APT28 sigs from  <at> da_667:<br><a href="http://pastebin.com/91sEPnJ7">http://pastebin.com/91sEPnJ7</a><br><br>Sofacy sigs from PWC:<br><a href="http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf">http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf</a><br>
</div>
<div><br></div>Regards,<br>
</div>Jake Warren<br>
</div></div>
Jake Warren | 28 Oct 19:26 2014

Sweet Orange Redirect Sig

Thanks to Brad ( <at> malware_traffic) for the analysis.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection 27 October 2014"; flow:to_client,established; file_data; content:"main_request_data_content=|27|"; pcre:"/[^0-9a-f]{1,3}6\D?8[^0-9a-f]{1,3}7\D?4[^0-9a-f]{1,3}7\D?4[^0-9a-f]{1,3}7\D?0[^0-9a-f]{1,3}3\D?a/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/27/index2.html; classtype:trojan-activity; sid:xxxx; rev:1;)

Regards,
Jake Warren
<div><div dir="ltr">Thanks to Brad ( <at> malware_traffic) for the analysis.<div>
<br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection 27 October 2014"; flow:to_client,established; file_data; content:"main_request_data_content=|27|"; pcre:"/[^0-9a-f]{1,3}6\D?8[^0-9a-f]{1,3}7\D?4[^0-9a-f]{1,3}7\D?4[^0-9a-f]{1,3}7\D?0[^0-9a-f]{1,3}3\D?a/Ri"; flowbits:set,et.exploitkitlanding; reference:url,<a href="http://malware-traffic-analysis.net/2014/10/27/index2.html">malware-traffic-analysis.net/2014/10/27/index2.html</a>; classtype:trojan-activity; sid:xxxx; rev:1;)<br><br>
</div>
<div>Regards,<br>Jake Warren<br>
</div>
</div></div>
Russell Fulton | 28 Oct 19:21 2014
Picon
Picon

Re: [Etpro-sigs] FP? ETPRO TROJAN Win32/Wysotot.G Checkin 2808522


> On 29/10/2014, at 2:30 am, Darien Huss <dhuss@...> wrote:
> 
> This rule is actually hitting on intended traffic. Here are related AV names:
> 
> PUP/Win32.Amonetiz
> PUP.Optional.SearchHijacker.A

do you have captures that we can compare?

I am not 100% sure that they are Fps but there are quite a few machine scattered right across the network that
are tickling that sig.

Russell
Cooper F. Nelson | 28 Oct 03:54 2014

ET Sig for DNSCrypt detection?


So I saw some weird UDP port 53 traffic today:

> U 2014/10/28 02:28:07.564198 132.239.163.53:56791 -> 77.234.40.92:53
> 7PYqwfzt90.b.....P......S....:...'N..g./6.$.....;].y.|"..

Turns out the "7PYqwfzt" string is the CERT magic header for something
called DNSCrypt:

> https://github.com/Cofyc/dnscrypt-wrapper/blob/master/cert.h

More details here:

http://dnscrypt.org/

Not sure if it's malicious or not at the moment, but a POLICY sig would
probably be useful.  Also not sure what the best approach for a
signature would be, hence I'm asking the experts!

--

-- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson@... x41042
Russell Fulton | 27 Oct 21:35 2014
Picon
Picon

FP: ET FTP Suspicious Quotation Mark Usage in FTP Username 2011488

This triggered on a *password* that started with a “.

USER anonymous..
PASS "07&0;&0"..

Put a !<CRLF>  ??

R


Gmane