Francis Trudeau | 2 Apr 00:02 2015
Picon

Daily Ruleset Update Summary 2015/04/01

 [***] Summary: [***]

 2 new Open signatures, 29 new Pro (2 + 27). Dridex, PoisonIvy, Win32/Meredrop.

 Thanks:  Cooper Nelson, Kevin Ross and  <at> rmkml.

 [+++]          Added rules:          [+++]

  2020825 - ET TROJAN Dridex POST Retrieving Second Stage M2 (trojan.rules)
  2020826 - ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal
Executable Request (current_events.rules)

 Pro:

  2810386 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.EU Checkin
(mobile_malware.rules)
  2810387 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(15md2Xg6ET82CJ2NBGMaUcK7c3jT38Tat2) (trojan.rules)
  2810388 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(475a0c00) (trojan.rules)
  2810389 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(47925a00) (trojan.rules)
  2810390 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(479fbe05) (trojan.rules)
  2810391 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(47f9ba00) (trojan.rules)
  2810392 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(48aef002) (trojan.rules)
  2810393 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(47441400) (trojan.rules)
(Continue reading)

Jack Mott | 1 Apr 22:25 2015
Picon

Win32/LockScreen.BW Ransomware Sigs

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen.BW Payment Info"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//mysticnews.ru"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"spShopId="; http_client_body; content:"&spShopPaymentId="; fast_pattern; http_client_body; distance:0; content:"&spCurrency="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:111111111; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen.BW Payment Info 2"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//mysticnews.ru"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"action=showPaymentForm&"; fast_pattern:3,20; http_client_body; content:"psAgreement="; http_client_body; distance:0; content:"&paymentSystemId="; http_client_body; distance:0;  reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:111111112; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen.BW Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//mysticnews.ru"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"locker_ver="; fast_pattern; http_client_body; content:"&i_firstboot="; http_client_body; distance:0; content:"&harddiskserial="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:111111113; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - Bravica"; flow:established,to_server; content:"POST"; http_method; content:"Host|3a 20|www.bravica.net|0d 0a|"; http_header; content:"name="; http_client_body; content:"&cmd="; http_client_body; distance:0; classtype:policy-violation; sid:111111114; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - ip-whois"; flow:established,to_server; content:"Host|3A 20|ip-whois.net|0d 0a|"; http_header; classtype:policy-violation; sid:111111115; rev:1;)

--
<div><div dir="ltr">
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen.BW Payment Info"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//<a href="http://mysticnews.ru/" target="_blank">mysticnews.ru</a>"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"spShopId="; http_client_body; content:"&amp;spShopPaymentId="; fast_pattern; http_client_body; distance:0; content:"&amp;spCurrency="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:111111111; rev:1;)</div>
<div><br></div>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen.BW Payment Info 2"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//<a href="http://mysticnews.ru/" target="_blank">mysticnews.ru</a>"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"action=showPaymentForm&amp;"; fast_pattern:3,20; http_client_body; content:"psAgreement="; http_client_body; distance:0; content:"&amp;paymentSystemId="; http_client_body; distance:0; &nbsp;reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:111111112; rev:1;)</div>
<div><br></div>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen.BW Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//<a href="http://mysticnews.ru/" target="_blank">mysticnews.ru</a>"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"locker_ver="; fast_pattern; http_client_body; content:"&amp;i_firstboot="; http_client_body; distance:0; content:"&amp;harddiskserial="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:111111113; rev:1;)</div>
<div><br></div>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - Bravica"; flow:established,to_server; content:"POST"; http_method; content:"Host|3a 20|<a href="http://www.bravica.net/" target="_blank">www.bravica.net</a>|0d 0a|"; http_header; content:"name="; http_client_body; content:"&amp;cmd="; http_client_body; distance:0; classtype:policy-violation; sid:111111114; rev:1;)</div>
<div><br></div>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - ip-whois"; flow:established,to_server; content:"Host|3A 20|<a href="http://ip-whois.net/" target="_blank">ip-whois.net</a>|0d 0a|"; http_header; classtype:policy-violation; sid:111111115; rev:1;)</div>
<div><br></div>-- <br><div class="gmail_signature"><div>Jack Mott<br><a href="http://www.malwarefor.me">http://www.malwarefor.me</a>
</div></div>
</div></div>
Cooper F. Nelson | 1 Apr 20:31 2015

False-positives for TROJAN Alureon CnC Beacon


Seeing lots of FP's for sid 2810276 and 360.cn traffic:

From the packet capture:

> POST /midinfo.php HTTP/1.1.
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; .NET CLR 2.0.50727; Media
Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 3.5.21022).
> Host: pq.f.360.cn.
> Content-Length: 229.
> Cache-Control: no-cache.
> Cookie: __guid=132730903.1172541301216024600.1396291217840.303; __huid=10fmlFhZe4E7OHtUiG4jWyV%2BZ7cdD3Np1IDr0w0P%2FxxCc%3D.
> .

--

-- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson@... x41042
Kevin Ross | 1 Apr 15:30 2015

SIG: ET TROJAN Dridex POST Retrieving Second Stage 2

As far as I can tell there is no signature that fired on the initial Dridex CnC traffic in the ET open signatures. Also they have fixed their typo/mistake of having a host like Host: AdaZ02 edu so a space instead of a full stop so now the signature ET TROJAN Dridex POST Retrieving Second Stage no longer works.

I tested and the byte_extract stuff from some of the other open signatures still works (sid 2020301) although this signature no longer works on the latest Dridex traffic either.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dridex POST Retrieving Second Stage 2"; flow:established,to_server; content:"POST"; http_method; content:"POST / HTTP/1.1"; fast_pattern:only; content:"Referer|3A| http"; http_header; pcre:"/Referer\x3A\x20(http|https)\x3A\x2F\x2F(www\x2Ebing|youtube|www\x2Egoogle|www\x2Eaol|yahoo)\x2Ecom\x2F\x0D\x0A/H"; content:"Host|3A| "; http_header; pcre:"/[a-z0-9]{3,20}\x2E[a-z]{2,4}/RHi"; content:"|0d 0a 0d 0a|"; byte_extract:1,0,Dridex.Pivot,relative; classtype:trojan-activity; reference:md5,2f87493d623c2a989ebca89c55f76646; sid:1671221; rev:1;)

I will provide PCAP off list to ET guys.

Kind Regards,
Kevin Ross
<div><div dir="ltr">As far as I can tell there is no signature that fired on the initial Dridex CnC traffic in the ET open signatures. Also they have fixed their typo/mistake of having a host like Host: AdaZ02 edu so a space instead of a full stop so now the signature ET TROJAN Dridex 
POST Retrieving Second Stage no longer works. <br><br>I tested and the byte_extract stuff from some of the other open signatures still works (sid 2020301) although this signature no longer works on the latest Dridex traffic either.<br><div>
<br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN Dridex 
POST Retrieving Second Stage 2"; flow:established,to_server; 
content:"POST"; http_method; content:"POST / HTTP/1.1"; 
fast_pattern:only; content:"Referer|3A| http"; http_header; 
pcre:"/Referer\x3A\x20(http|https)\x3A\x2F\x2F(www\x2Ebing|youtube|www\x2Egoogle|www\x2Eaol|yahoo)\x2Ecom\x2F\x0D\x0A/H"; content:"Host|3A| "; http_header; pcre:"/[a-z0-9]{3,20}\x2E[a-z]{2,4}/RHi"; content:"|0d 0a 0d 0a|"; byte_extract:1,0,Dridex.Pivot,relative; classtype:trojan-activity; reference:md5,2f87493d623c2a989ebca89c55f76646; sid:1671221; rev:1;)<br><br>
</div>
<div>I will provide PCAP off list to ET guys.<br><br>
</div>
<div>Kind Regards,<br>
</div>
<div>Kevin Ross<br>
</div>
</div></div>
Kevin Ross | 1 Apr 13:06 2015

SIG: ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request

Hi,

as the user agent and small details are changing daily I have written this signature although it is not finished. On the PCRE it has Host\x3A\x20[^\r\n]*\x0D\x0A. I want that to have an additional \x0D\x0A at the end as this is the end of the header but everytime I add this the signature no longer fires.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; content:".exe"; http_uri; urilen:<40; pcre:"/^\x2F[a-z0-9\/]{1,36}\x2Eexe$/Ui"; content:!"Mozilla/"; http_header; content:!"Referer|3A|"; http_header; content:!"Accept|3A|"; http_header; content:".exe HTTP/1.1|0D 0A|User-Agent|3A|"; pcre:"/User-Agent\x3A\x20[a-z]{2,30}\x0D\x0AHost\x3A\x20[^\r\n]*\x0D\x0A/Hmi"; classtype:trojan-activity; reference:md5,28208e19a528bfa95e5662e2d6f2e911; reference:md5,bbaa413622d86f737cd1c0423ac7723e; reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting; sid:156991; rev:1;)

Anyway this is to detect things like (with HAZ being today's user agent it seems (this covers other variations too I have seen including uris similar to /ijasdijad/asdsaf.exe or whatever.
GET /54/78.exe HTTP/1.1 User-Agent: MisterZALALU Host: probagep.sandbox.proserver.hu

GET /122/091.exe HTTP/1.1 User-Agent: HAZ Host: toninox.com.br

GET /122/091.exe HTTP/1.1 User-Agent: HAZ Host: www.tschoetz.de
Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>Hi,<br><br>
</div>as the user agent and small details are changing daily I have written this signature although it is not finished. On the PCRE it has Host\x3A\x20[^\r\n]*\x0D\x0A. I want that to have an additional \x0D\x0A at the end as this is the end of the header but everytime I add this the signature no longer fires.<br><div>
<div>
<br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; content:".exe"; http_uri; urilen:&lt;40; pcre:"/^\x2F[a-z0-9\/]{1,36}\x2Eexe$/Ui"; content:!"Mozilla/"; http_header; content:!"Referer|3A|"; http_header; content:!"Accept|3A|"; http_header; content:".exe HTTP/1.1|0D 0A|User-Agent|3A|"; pcre:"/User-Agent\x3A\x20[a-z]{2,30}\x0D\x0AHost\x3A\x20[^\r\n]*\x0D\x0A/Hmi"; classtype:trojan-activity; reference:md5,28208e19a528bfa95e5662e2d6f2e911; reference:md5,bbaa413622d86f737cd1c0423ac7723e; reference:url,<a href="http://blogs.cisco.com/security/dridex-attacks-target-corporate-accounting">blogs.cisco.com/security/dridex-attacks-target-corporate-accounting</a>; sid:156991; rev:1;)<br><br>
</div>
<div>Anyway this is to detect things like (with HAZ being today's user agent it seems (this covers other variations too I have seen including uris similar to /ijasdijad/asdsaf.exe or whatever. <br>GET /54/78.exe HTTP/1.1
User-Agent: MisterZALALU
Host: <a href="http://probagep.sandbox.proserver.hu">probagep.sandbox.proserver.hu</a><br><br>GET /122/091.exe HTTP/1.1
User-Agent: HAZ
Host: <a href="http://toninox.com.br">toninox.com.br</a><br><br>GET /122/091.exe HTTP/1.1
User-Agent: HAZ
Host: <a href="http://www.tschoetz.de">www.tschoetz.de</a><br>Kind Regards,<br>
</div>
<div>Kevin Ross<br>
</div>
</div>
</div></div>
Francis Trudeau | 1 Apr 01:13 2015
Picon

Daily Ruleset Update Summary 2015/03/31

 [***] Summary: [***]

 19 Open signatures, 41 new Pro (19 + 22).  Dridex, Cedar, Chanitor, Darkleech.

 Thanks:  Kevin Ross, black_ip,  <at> kafeine and  <at> malwaresigs.

 [+++]          Added rules:          [+++]

  2020806 - ET CURRENT_EVENTS VBA Office Document Dridex Binary
Download User-Agent 2 (current_events.rules)
  2020807 - ET TROJAN Volatile Cedar Win32.Explosive CnC Beacon 1 (trojan.rules)
  2020808 - ET TROJAN Volatile Cedar Win32.Explosive CnC Beacon 2 (trojan.rules)
  2020809 - ET TROJAN Volatile Cedar Win32.Explosive CnC Beacon 3 (trojan.rules)
  2020810 - ET TROJAN Volatile Cedar Win32.Explosive Fake User-Agent
(trojan.rules)
  2020811 - ET TROJAN Volatile Cedar Win32.Explosive External IP Leak
(trojan.rules)
  2020812 - ET TROJAN Volatile Cedar Win32.Explosive HTTP CnC Beacon 1
(trojan.rules)
  2020813 - ET TROJAN Volatile Cedar Win32.Explosive HTTP CnC Beacon 1
(trojan.rules)
  2020814 - ET TROJAN Volatile Cedar DNS Lookup (saveweb.wink.ws) (trojan.rules)
  2020815 - ET TROJAN Volatile Cedar DNS Lookup
(carima2012.site90.com) (trojan.rules)
  2020816 - ET TROJAN Volatile Cedar DNS Lookup (explorerdotnt.info)
(trojan.rules)
  2020817 - ET TROJAN Volatile Cedar DNS Lookup (dotnetexplorer.info)
(trojan.rules)
  2020818 - ET TROJAN Volatile Cedar DNS Lookup (dotntexplorere.info)
(trojan.rules)
  2020819 - ET TROJAN Volatile Cedar DNS Lookup (xploreredotnet.info)
(trojan.rules)
  2020820 - ET TROJAN Volatile Cedar DNS Lookup (erdotntexplore.info)
(trojan.rules)
  2020821 - ET TROJAN Win32/Hyteod CnC Beacon (trojan.rules)
  2020822 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
(trojan.rules)
  2020823 - ET CURRENT_EVENTS VBScript Driveby MAR 31 2015
(current_events.rules)
  2020824 - ET CURRENT_EVENTS VBScript Driveby Related TDS MAR 31 2015
(current_events.rules)

 Pro

  2810364 - ETPRO TROJAN Chanitor .onion Proxy Domain
(omi62yc6jtsd2q37) (trojan.rules)
  2810365 - ETPRO TROJAN Win32/Troldesh.A Ransomware External IP Check
(trojan.rules)
  2810366 - ETPRO TROJAN Win32/Filecoder.ED Ransomware External IP
Check (trojan.rules)
  2810367 - ETPRO TROJAN PoisonIvy Keepalive to CnC 72 (trojan.rules)
  2810368 - ETPRO TROJAN PoisonIvy Keepalive to CnC 73 (trojan.rules)
  2810369 - ETPRO TROJAN PoisonIvy Keepalive to CnC 74 (trojan.rules)
  2810370 - ETPRO CURRENT_EVENTS Darkleech Iframe Injection Detected
(current_events.rules)
  2810371 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(kolivas.minerdidle) (trojan.rules)
  2810372 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(48f0f002) (trojan.rules)
  2810373 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(4770b005) (trojan.rules)
  2810374 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(47918a05) (trojan.rules)
  2810375 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(plusrevenue.1) (trojan.rules)
  2810376 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(47667803) (trojan.rules)
  2810377 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(grtsrty.DOGE_3) (trojan.rules)
  2810378 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(abd62c252e784714) (trojan.rules)
  2810379 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(00a87330) (trojan.rules)
  2810380 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(3c2f9a01) (trojan.rules)
  2810381 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(tamaran.3) (trojan.rules)
  2810382 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(3d812000) (trojan.rules)
  2810383 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.kh Checkin
2 (mobile_malware.rules)
  2810384 - ETPRO TROJAN Win32/Anti2014 Checkin via HTTP CONNECT (trojan.rules)
  2810385 - ETPRO TROJAN Win32/Lacam.A Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2018452 - ET TROJAN CryptoWall Check-in (trojan.rules)
  2018867 - ET TROJAN MultiPlug.A checkin (trojan.rules)
  2020801 - ET TROJAN Skyfall fake Skype install link (trojan.rules)
  2806873 - ETPRO TROJAN Rogue.Win32/FakeRean Checkin 3 (trojan.rules)
  2808570 - ETPRO TROJAN Win32.Sisron.B Checkin 2 (trojan.rules)
  2809564 - ETPRO TROJAN Win32/Zemot Checkin 2 (trojan.rules)
  2810058 - ETPRO TROJAN Dridex POST Retrieving Second Stage M2 (trojan.rules)
  2810290 - ETPRO TROJAN NanoCore RAT Keepalive Response 2 (trojan.rules)

 [///]    Modified inactive rules:    [///]

  2801246 - ETPRO POLICY 51.la related free stats service on off port
- often malware related (policy.rules)

 [---]  Disabled and modified rules:  [---]

  2017666 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013
(current_events.rules)
  2017812 - ET CURRENT_EVENTS Safe/CritX/FlashPack URI with Windows
Plugin-Detect Data (current_events.rules)
Packet Hack | 31 Mar 21:50 2015
Picon

Hits to Hyteod/NanoCore sigs

Anyone seeing hits to these together?

  2810159/ETPRO TROJAN Win32/Hyteod Initial CnC Beacon Response
  2810288/ETPRO TROJAN NanoCore RAT Keepalive 1

Hard to find info on these, can't tell if they're legit or
some lousy p2p program generating falses.

All hits to 198.252.160.0/24 .

-- pckthck
Packet Hack | 31 Mar 20:02 2015
Picon

Sality sigs

So these are named nearly identically:

  2018867/ET TROJAN Win32.Sality.3 checkin
  2020505/ET TROJAN Win32.Sality.3 Checkin

Any chance we could differentiate a little more?

Also, 2020505 seems to be falsing on some kind
of binary download

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32.Sality.3 Checkin"; flow:to_server,established; content:"/?f";
http_uri; fast_pattern:only; content:!"User-Agent|3a| "; http_header;
content:!"Accept"; http_header; content:!"Referer"; http_header;
content:!"Cache-Control|3a 20|"; http_header; pcre:"/\/\?f$/U";
reference:md5,df9516919e75853742e63db318e7d346;
classtype:trojan-activity; sid:2020505; rev:1;)

Binary output (hex/chr format) attached. Note the content "/?f" exists,
but doesn't seem to be part of a URI.

Snort 2.9.7.0, fwiw.

-- pckthck
0f2   09c   0f4   0b3     x     A   0ab   00a     x   0fa     $     ^   090   0c2   0de   08c   
  c   0c7   099   0f1     Q   0bc   0e0   0ca     P     w   01b   00f   0f0   002     Y     f   
0d7     9   0f2   0df   0e7   005   0e8     s     ,   0fd   0b0     6     {   0ad   0bf   00c   
  [   08e   003   0f6     S   001   0df   0ed     ;   0ff     .   09f   0c1     {     T   0ef   
0f1   019     U     F   0e9   0b4     o     |   0e9   0ff   0ea   0fa   004   09d     =     X   
015   0da   0ea   0bc     =     /     ?     f   00d   081   0ae   0ce   09a   087   0f5   09b   
[...binary continues...]
0f2   09c   0f4   0b3     x     A   0ab   00a     x   0fa     $     ^   090   0c2   0de   08c   
  c   0c7   099   0f1     Q   0bc   0e0   0ca     P     w   01b   00f   0f0   002     Y     f   
0d7     9   0f2   0df   0e7   005   0e8     s     ,   0fd   0b0     6     {   0ad   0bf   00c   
  [   08e   003   0f6     S   001   0df   0ed     ;   0ff     .   09f   0c1     {     T   0ef   
0f1   019     U     F   0e9   0b4     o     |   0e9   0ff   0ea   0fa   004   09d     =     X   
015   0da   0ea   0bc     =     /     ?     f   00d   081   0ae   0ce   09a   087   0f5   09b   
[...binary continues...]
Kevin Ross | 31 Mar 11:29 2015

SIG: ET CURRENT_EVENTS Dridex.Maldoc Payload Download User Agent Detected - 31/3/15 Campaign

Seen in Dridex documents from yesterday & Today.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex.Maldoc Payload Download User Agent Detected - 31/3/15 Campaign"; flow:established,to_server; content:"User-Agent|3A| MisterZALALU"; http_header; fast_pattern:12,12; classtype:trojan-activity; reference:md5,2f53b7669482c2d9216a74050630fbb7; sid:156991; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>
<div>Seen in Dridex documents from yesterday &amp; Today.<br>
</div>
<div>
<br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex.Maldoc Payload Download User Agent Detected - 31/3/15 Campaign"; flow:established,to_server; content:"User-Agent|3A| MisterZALALU"; http_header; fast_pattern:12,12; classtype:trojan-activity; reference:md5,2f53b7669482c2d9216a74050630fbb7; sid:156991; rev:1;)<br><br><br>
</div>Kind Regards,<br>
</div>Kevin Ross<br>
</div></div>
Francis Trudeau | 31 Mar 00:58 2015
Picon

Daily Ruleset Update Summary 2015/03/30

 [***] Results from Oinkmaster started Mon Mar 30 18:49:45 2015 [***]

 5 new Open signatures, 66 new Pro (5 + 61).  Angler EK, PoisonIvy, Skyfall.

 Thanks:  Eoin Miller and  <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2020801 - ET TROJAN Skyfall fake Skype install link (trojan.rules)
  2020802 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Ransomware CnC) (trojan.rules)
  2020803 - ET CURRENT_EVENTS GoogleFile - Creds Phished (current_events.rules)
  2020804 - ET POLICY Remote Access - RView - Host - *.rview.com (policy.rules)
  2020805 - ET POLICY Remote Access - RView - SSL Certificate Seen
(policy.rules)

 Pro:

  2810302 - ETPRO TROJAN Win32/SkyDll.A Checkin (trojan.rules)
  2810303 - ETPRO TROJAN Backdoor.Insidious Checkin (trojan.rules)
  2810304 - ETPRO TROJAN Backdoor.Win32.Gobap.A Check-in 1 (trojan.rules)
  2810305 - ETPRO TROJAN Backdoor.Win32.Gobap.A Check-in 2 (trojan.rules)
  2810306 - ETPRO MOBILE_MALWARE Android-Spyware/SmsReg Checkin
(mobile_malware.rules)
  2810307 - ETPRO TROJAN PoisonIvy Keepalive to CnC 47 (trojan.rules)
  2810308 - ETPRO TROJAN PoisonIvy Keepalive to CnC 48 (trojan.rules)
  2810309 - ETPRO TROJAN PoisonIvy Keepalive to CnC 49 (trojan.rules)
  2810310 - ETPRO TROJAN PoisonIvy Keepalive to CnC 50 (trojan.rules)
  2810311 - ETPRO TROJAN PoisonIvy Keepalive to CnC 51 (trojan.rules)
  2810312 - ETPRO TROJAN PoisonIvy Keepalive to CnC 52 (trojan.rules)
  2810313 - ETPRO TROJAN PoisonIvy Keepalive to CnC 53 (trojan.rules)
  2810314 - ETPRO TROJAN PoisonIvy Keepalive to CnC 54 (trojan.rules)
  2810315 - ETPRO TROJAN PoisonIvy Keepalive to CnC 55 (trojan.rules)
  2810316 - ETPRO TROJAN PoisonIvy Keepalive to CnC 56 (trojan.rules)
  2810317 - ETPRO TROJAN PoisonIvy Keepalive to CnC 57 (trojan.rules)
  2810318 - ETPRO TROJAN PoisonIvy Keepalive to CnC 58 (trojan.rules)
  2810319 - ETPRO TROJAN PoisonIvy Keepalive to CnC 59 (trojan.rules)
  2810320 - ETPRO TROJAN PoisonIvy Keepalive to CnC 60 (trojan.rules)
  2810321 - ETPRO TROJAN PoisonIvy Keepalive to CnC 61 (trojan.rules)
  2810322 - ETPRO TROJAN PoisonIvy Keepalive to CnC 62 (trojan.rules)
  2810323 - ETPRO TROJAN PoisonIvy Keepalive to CnC 63 (trojan.rules)
  2810324 - ETPRO TROJAN PoisonIvy Keepalive to CnC 64 (trojan.rules)
  2810325 - ETPRO TROJAN PoisonIvy Keepalive to CnC 65 (trojan.rules)
  2810326 - ETPRO TROJAN PlugX Related Checkin (trojan.rules)
  2810328 - ETPRO CURRENT_EVENTS Angler EK Landing T1 March 30 2015 M2
(current_events.rules)
  2810329 - ETPRO CURRENT_EVENTS Angler EK Landing T1 March 30 2015 M2
(current_events.rules)
  2810330 - ETPRO CURRENT_EVENTS Angler EK Flash T1 March 30 2015 M2
(current_events.rules)
  2810331 - ETPRO CURRENT_EVENTS Angler EK Flash T1 March 30 2015 M3
(current_events.rules)
  2810332 - ETPRO CURRENT_EVENTS Angler EK SilverLight T1 March 30
2015 M2 (current_events.rules)
  2810333 - ETPRO CURRENT_EVENTS Angler EK Payload T1 March 30 2015 M2
(current_events.rules)
  2810334 - ETPRO CURRENT_EVENTS Angler EK Landing T1 March 30 2015 M2
Trans (current_events.rules)
  2810335 - ETPRO CURRENT_EVENTS Angler EK Landing T1 March 30 2015 M2
Trans (current_events.rules)
  2810336 - ETPRO CURRENT_EVENTS Angler EK Flash T1 March 30 2015 M2
Trans (current_events.rules)
  2810337 - ETPRO CURRENT_EVENTS Angler EK Flash T1 March 30 2015 M3
Trans (current_events.rules)
  2810338 - ETPRO CURRENT_EVENTS Angler EK SilverLight T1 March 30
2015 M2 Trans (current_events.rules)
  2810339 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.rc Checkin
(mobile_malware.rules)
  2810340 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.fz Checkin
2 (mobile_malware.rules)
  2810341 - ETPRO MOBILE_MALWARE Android/Monitor.SpyTimetunnel.A
Checkin (mobile_malware.rules)
  2810342 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(mylover2009.1) (trojan.rules)
  2810343 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(16142) (trojan.rules)
  2810344 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(schizyk.1) (trojan.rules)
  2810345 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(474f5401) (trojan.rules)
  2810346 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(4746e202) (trojan.rules)
  2810347 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(8d18-364a-0842-6e76) (trojan.rules)
  2810348 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(DeBil.1) (trojan.rules)
  2810349 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(Po9TR8rvjZZJ1svz8kCfsFTiUr1uY3kR1x) (trojan.rules)
  2810350 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2d4dd3c812da2eb2) (trojan.rules)
  2810351 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(4746b801) (trojan.rules)
  2810352 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(47b50c02) (trojan.rules)
  2810353 - ETPRO CURRENT_EVENTS Angler EK Payload T1 March 30 2015 M2
Trans (current_events.rules)
  2810354 - ETPRO TROJAN Win32/Spy.Shiz SSL Cert (trojan.rules)
  2810355 - ETPRO POLICY DNS Query to .onion proxy Domain
(79fhdm16.com) (policy.rules)
  2810356 - ETPRO POLICY DNS Query to .onion proxy Domain
(42k2bu15.com) (policy.rules)
  2810357 - ETPRO TROJAN PoisonIvy Keepalive to CnC 66 (trojan.rules)
  2810358 - ETPRO TROJAN PoisonIvy Keepalive to CnC 67 (trojan.rules)
  2810359 - ETPRO TROJAN PoisonIvy Keepalive to CnC 68 (trojan.rules)
  2810360 - ETPRO TROJAN PoisonIvy Keepalive to CnC 69 (trojan.rules)
  2810361 - ETPRO TROJAN PoisonIvy Keepalive to CnC 70 (trojan.rules)
  2810362 - ETPRO TROJAN PoisonIvy Keepalive to CnC 71 (trojan.rules)
  2810363 - ETPRO CURRENT_EVENTS Malicious Redirect Leading to EK
March 30 2015 (current_events.rules)

 [///]     Modified active rules:     [///]

  2019378 - ET TROJAN Gozi Checkin (trojan.rules)
  2809271 - ETPRO TROJAN Win32.Staser variant Checkin (trojan.rules)
Francis Trudeau | 29 Mar 01:27 2015
Picon

Daily Ruleset Update Summary 2015/03/28

 [***] Summary: [***]

 23 new Open signatures.  PCRat/Gh0st CnC traffic (OUTBOUND) 77-99.

 [+++]          Added rules:          [+++]

  2020778 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 77 (trojan.rules)
  2020779 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 78 (trojan.rules)
  2020780 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 79 (trojan.rules)
  2020781 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 80 (trojan.rules)
  2020782 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 81 (trojan.rules)
  2020783 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 82 (trojan.rules)
  2020784 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 83 (trojan.rules)
  2020785 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 84 (trojan.rules)
  2020786 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 85 (trojan.rules)
  2020787 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 86 (trojan.rules)
  2020788 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 87 (trojan.rules)
  2020789 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 88 (trojan.rules)
  2020790 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 89 (trojan.rules)
  2020791 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 90 (trojan.rules)
  2020792 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 91 (trojan.rules)
  2020793 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 92 (trojan.rules)
  2020794 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 93 (trojan.rules)
  2020795 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 94 (trojan.rules)
  2020796 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 95 (trojan.rules)
  2020797 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 96 (trojan.rules)
  2020798 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 97 (trojan.rules)
  2020799 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 98 (trojan.rules)
  2020800 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 99 (trojan.rules)

Gmane