Kevin Ross | 26 Mar 10:14 2015

SIG: ET CURRENT_EVENTS VBA Office Document Dridex Binary Download User-Agent

Saw this today in a Dridex downloader. I couldn't get payload to actually run though in cuckoo as it kept crashing but there is an analysis here and it looks like normal Dridex CnC patterns already covered fine: https://www.hybrid-analysis.com/sample/7bcb0abcfbea20ecfe31d8dd65146b8b1ffd0d81479d11dc329b2f99e263bd78?environmentId=1

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBA Office Document Dridex Binary Download User-Agent"; flow:established,to_server; content:"User-Agent|3A| KAII"; http_header; fast_pattern:only; pcre:"/User\x2DAgent\x3A\x20KAII\d{4,}/H"; classtype:trojan-activity; reference:md5,cb2903c89d60947fa4badec41e065d71; sid:156601; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">Saw this today in a Dridex downloader. I couldn't get payload to actually run though in cuckoo as it kept crashing but there is an analysis here and it looks like normal Dridex CnC patterns already covered fine: <a href="https://www.hybrid-analysis.com/sample/7bcb0abcfbea20ecfe31d8dd65146b8b1ffd0d81479d11dc329b2f99e263bd78?environmentId=1">https://www.hybrid-analysis.com/sample/7bcb0abcfbea20ecfe31d8dd65146b8b1ffd0d81479d11dc329b2f99e263bd78?environmentId=1</a><br><div>
<br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBA Office Document Dridex Binary Download User-Agent"; flow:established,to_server; content:"User-Agent|3A| KAII"; http_header; fast_pattern:only; pcre:"/User\x2DAgent\x3A\x20KAII\d{4,}/H"; classtype:trojan-activity; reference:md5,<span class="">cb2903c89d60947fa4badec41e065d71</span>; sid:156601; rev:1;)<br><br><br>
</div>
<div>Kind Regards,<br>
</div>
<div>Kevin Ross<br>
</div>
</div></div>
Francis Trudeau | 26 Mar 01:08 2015
Picon

Daily Ruleset Update Summary 2015/03/23

 [***] Summary: [***]

 12 new Open signatures, 62 new Pro (12 + 50).  Chroject.B, PoisonIvy,
Win32.SysUpdater, Linux.Flooder.Agent.

 Thanks:   <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2020745 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)
  2020746 - ET TROJAN Win32.Chroject.B Retrieving encoded payload (trojan.rules)
  2020747 - ET TROJAN Win32.Chroject.B Requesting ClickFraud Commands
from CnC (trojan.rules)
  2020748 - ET TROJAN Win32.Chroject.B Receiving ClickFraud Commands
from CnC 1 (trojan.rules)
  2020749 - ET TROJAN Win32.Chroject.B Receiving ClickFraud Commands
from CnC 2 (trojan.rules)
  2020750 - ET TROJAN Win32.Chroject.B ClickFraud Request (trojan.rules)
  2020751 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 4 (exploit.rules)
  2020752 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 5 (exploit.rules)
  2020753 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 6 (exploit.rules)
  2020754 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 7 (exploit.rules)
  2020755 - ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect
2 (exploit.rules)
  2020756 - ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt
(CVE-2014-8636) (web_client.rules)

 Pro:

  2810191 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.em
Checkin (mobile_malware.rules)
  2810192 - ETPRO TROJAN Linux.DDoS Variant Checkin (trojan.rules)
  2810193 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(47472801) (trojan.rules)
  2810194 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(47ecd201) (trojan.rules)
  2810195 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(48026404) (trojan.rules)
  2810196 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(Freak1337.1) (trojan.rules)
  2810197 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(4764d805) (trojan.rules)
  2810198 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(48104404) (trojan.rules)
  2810199 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(mRXbrEB37ZXrXHmc8iymQB5QDGFocXE9bY) (trojan.rules)
  2810200 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(47232601) (trojan.rules)
  2810201 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(458e3600) (trojan.rules)
  2810202 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(pioner.1) (trojan.rules)
  2810203 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(DontStopProcess.1) (trojan.rules)
  2810204 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(48dc3800) (trojan.rules)
  2810205 - ETPRO TROJAN PoisonIvy Keepalive to CnC 1 (trojan.rules)
  2810206 - ETPRO TROJAN PoisonIvy Keepalive to CnC 2 (trojan.rules)
  2810207 - ETPRO TROJAN PoisonIvy Keepalive to CnC 3 (trojan.rules)
  2810208 - ETPRO TROJAN PoisonIvy Keepalive to CnC 4 (trojan.rules)
  2810209 - ETPRO TROJAN PoisonIvy Keepalive to CnC 5 (trojan.rules)
  2810210 - ETPRO TROJAN PoisonIvy Keepalive to CnC 6 (trojan.rules)
  2810211 - ETPRO TROJAN PoisonIvy Keepalive to CnC 7 (trojan.rules)
  2810212 - ETPRO TROJAN PoisonIvy Keepalive to CnC 8 (trojan.rules)
  2810213 - ETPRO TROJAN PoisonIvy Keepalive to CnC 9 (trojan.rules)
  2810214 - ETPRO TROJAN PoisonIvy Keepalive to CnC 10 (trojan.rules)
  2810215 - ETPRO TROJAN PoisonIvy Keepalive to CnC 11 (trojan.rules)
  2810216 - ETPRO TROJAN PoisonIvy Keepalive to CnC 12 (trojan.rules)
  2810217 - ETPRO TROJAN PoisonIvy Keepalive to CnC 13 (trojan.rules)
  2810218 - ETPRO TROJAN PoisonIvy Keepalive to CnC 14 (trojan.rules)
  2810219 - ETPRO TROJAN PoisonIvy Keepalive to CnC 15 (trojan.rules)
  2810220 - ETPRO TROJAN PoisonIvy Keepalive to CnC 16 (trojan.rules)
  2810221 - ETPRO TROJAN PoisonIvy Keepalive to CnC 17 (trojan.rules)
  2810222 - ETPRO TROJAN PoisonIvy Keepalive to CnC 18 (trojan.rules)
  2810223 - ETPRO TROJAN PoisonIvy Keepalive to CnC 19 (trojan.rules)
  2810224 - ETPRO TROJAN PoisonIvy Keepalive to CnC 20 (trojan.rules)
  2810225 - ETPRO TROJAN PoisonIvy Keepalive to CnC 21 (trojan.rules)
  2810226 - ETPRO TROJAN PoisonIvy Keepalive to CnC 22 (trojan.rules)
  2810227 - ETPRO TROJAN PoisonIvy Keepalive to CnC 23 (trojan.rules)
  2810228 - ETPRO TROJAN PoisonIvy Keepalive to CnC 24 (trojan.rules)
  2810229 - ETPRO TROJAN PoisonIvy Keepalive to CnC 25 (trojan.rules)
  2810230 - ETPRO TROJAN PoisonIvy Keepalive to CnC 26 (trojan.rules)
  2810231 - ETPRO TROJAN PoisonIvy Keepalive to CnC 27 (trojan.rules)
  2810232 - ETPRO TROJAN PoisonIvy Keepalive to CnC 28 (trojan.rules)
  2810233 - ETPRO TROJAN PoisonIvy Keepalive to CnC 29 (trojan.rules)
  2810234 - ETPRO MOBILE_MALWARE PUP Android/Flexion.A Checkin
(mobile_malware.rules)
  2810235 - ETPRO TROJAN Win32.SysUpdater Config Download (trojan.rules)
  2810236 - ETPRO TROJAN Win32.SysUpdater Scanning External Sites (trojan.rules)
  2810237 - ETPRO TROJAN Linux/Zanich.B Checkin (trojan.rules)
  2810238 - ETPRO TROJAN Win32.Hyteod.acox Conn Check (trojan.rules)
  2810239 - ETPRO TROJAN Win32/Spy.Bizzana.A Checkin (trojan.rules)
  2810240 - ETPRO TROJAN Linux.Flooder.Agent Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2017810 - ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect
(exploit.rules)
  2807230 - ETPRO TROJAN Reveton Checkin (trojan.rules)
  2807232 - ETPRO TROJAN Trojan.Agent.29683 PDF Checkin (trojan.rules)
  2808393 - ETPRO MOBILE_MALWARE Android/Fakeinst.HX Checkin
(mobile_malware.rules)
  2809182 - ETPRO MALWARE Win32.Adware.MediaGet.A Checkin (malware.rules)

 [---]         Removed rules:         [---]

  2809336 - ETPRO TROJAN Win32/Kryptik.CQDL Checkin (trojan.rules)
  2809654 - ETPRO MALWARE Win32.Chroject.B Checkin (malware.rules)
Kevin Ross | 25 Mar 23:23 2015

SIG: ET TROJAN W32/Emotet.P CnC Beacon

Hi,

Here is a sig for Emotet. EXE was carved from this PCAP http://www.threatglass.com/malicious_urls/www-beirarioimoveis-com

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Emotet.P CnC Beacon"; flow:established,to_server; content:"POST"; http_method; pcre:"/^\x2F[a-f0-9]{6,10}\x2F[a-f0-9]{6,10}\x2F$/U"; content:"/ HTTP/1.1|0D 0A|Accept|3A| */*|0D 0A|User-Agent|3A|"; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| WOW64|3B| Trident/6.0)"; http_header; fast_pattern:42,20; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{2,5}/H"; classtype:trojan-activity; reference:md5,bc7d06e3a2ac4869790f33bc9f2bca50; sid:1561931; rev:1;)

I found a lot of this is hardcoded when I was looking at memory dump of process i.e:

5cd89a/af2f5ece/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: 202.44.54.3:8080
Content-Length: 201
Connection: Keep-Alive
Cache-Control: no-cache
VI90
:`O0
0v-v
\ort
/C:\
DOCUME~1


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>Hi,<br><br>
</div>Here is a sig for Emotet. EXE was carved from this PCAP <a href="http://www.threatglass.com/malicious_urls/www-beirarioimoveis-com">http://www.threatglass.com/malicious_urls/www-beirarioimoveis-com</a><br><div><div>
<div>
<br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/Emotet.P CnC Beacon"; flow:established,to_server; content:"POST"; http_method; pcre:"/^\x2F[a-f0-9]{6,10}\x2F[a-f0-9]{6,10}\x2F$/U"; content:"/ HTTP/1.1|0D 0A|Accept|3A| */*|0D 0A|User-Agent|3A|"; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| WOW64|3B| Trident/6.0)"; http_header; fast_pattern:42,20; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{2,5}/H"; classtype:trojan-activity; reference:md5,bc7d06e3a2ac4869790f33bc9f2bca50; sid:1561931; rev:1;)<br><br>
</div>
<div>I found a lot of this is hardcoded when I was looking at memory dump of process i.e:<br><br>5cd89a/af2f5ece/ HTTP/1.1<br>Accept: */*<br>User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)<br>Host: <a href="http://202.44.54.3:8080">202.44.54.3:8080</a><br>Content-Length: 201<br>Connection: Keep-Alive<br>Cache-Control: no-cache<br>VI90<br>:`O0<br>0v-v<br>\ort<br>/C:\<br>DOCUME~1<br><br><br>
</div>
<div>Kind Regards,<br>
</div>
<div>Kevin Ross<br>
</div>
</div></div>
</div></div>
Francis Trudeau | 24 Mar 23:58 2015
Picon

Daily Ruleset Update Summary 2015/03/22

 [***] Summary: [***]

 9 new Open signatures, 18 new Pro (9 + 9).

 Thanks:   <at> abuse_ch,  <at> kafeine and  <at> malwaresigs.

 [+++]          Added rules:          [+++]

 Open:

  2020734 - ET TROJAN Fileless infection dropped by EK CnC Beacon (trojan.rules)
  2020735 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Ransomware CnC) (trojan.rules)
  2020736 - ET CURRENT_EVENTS Unauthorized SSL Cert for Google Domains
(current_events.rules)
  2020737 - ET TROJAN Win32/TrojanProxy.JpiProx.B CnC Beacon 1 (trojan.rules)
  2020738 - ET TROJAN Win32/TrojanProxy.JpiProx.B CnC Beacon 2 (trojan.rules)
  2020739 - ET TROJAN Unknown Trojan DNS Query to .onion proxy Domain
(l7gbml27czk3kvr5) (trojan.rules)
  2020740 - ET TROJAN CryptoLocker .onion Proxy Domain
(iezqmd4s2fflmh7n) (trojan.rules)
  2020741 - ET TROJAN Win32.Hyteod.acox Domain Generation Algorithm
(DGA) Lookup NXDOMAIN Response (trojan.rules)
  2020742 - ET TROJAN Win32.Hyteod.acox Domain Generation Algorithm
(DGA) Lookup NXDOMAIN Response (trojan.rules)

 Pro:

  2810182 - ETPRO TROJAN Expiro.AY Checkin (trojan.rules)
  2810183 - ETPRO TROJAN Vawtrak/NeverQuest CnC Beacon (trojan.rules)
  2810184 - ETPRO MALWARE Hotbar Spyware checkin 2 (malware.rules)
  2810185 - ETPRO TROJAN Win32.Rioselx.A Checkin (trojan.rules)
  2810186 - ETPRO TROJAN Win32.TreasureHunter Checkin (trojan.rules)
  2810187 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.FB Checkin 2
(mobile_malware.rules)
  2810188 - ETPRO TROJAN MultiPlug Code Signing Certificate Seen (trojan.rules)
  2810189 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Agent.aq Checkin
via FTP (mobile_malware.rules)
  2810190 - ETPRO TROJAN Critroni .onion Proxy Domain (trojan.rules)

 [///]     Modified active rules:     [///]

  2003492 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake
(Mozilla/4.0) (malware.rules)
  2017871 - ET POLICY W32/BitCoinMiner.MultiThreat Subscribe/Authorize
Stratum Protocol Message (policy.rules)
  2018341 - ET TROJAN Kazy Checkin (trojan.rules)
  2020422 - ET TROJAN MultiPlug.J Checkin (trojan.rules)
  2805417 - ETPRO TROJAN Win32/Vobfus Checkin (trojan.rules)
  2810162 - ETPRO TROJAN Win32.VB.hlqz Keepalive (trojan.rules)

 [---]         Removed rules:         [---]

  2010228 - ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent
Detected (policy.rules)
Francis Trudeau | 24 Mar 00:18 2015
Picon

Daily Ruleset Update Summary 2015/03/21

 [***] Summary: [***]

 8 new open Signatures 19 new Pro (8 + 11).  Netscaler SQLi,
DoS.Linux/Elknot.G, Angler EK.

 Thanks:   <at> malware_traffic and  <at> EKWatcher.

 [+++]          Added rules:          [+++]

 Open:

  2020726 - ET CURRENT_EVENTS RIG EK Landing March 20 2015 M2
(current_events.rules)
  2020727 - ET TROJAN Zbot .onion Proxy Domain (3bjpwsf3fjcwtnwx) (trojan.rules)
  2020728 - ET TROJAN Possible Adwind SSL Cert (assylias.Inc) (trojan.rules)
  2020729 - ET MOBILE_MALWARE Android.Trojan.SMSSend.Y (mobile_malware.rules)
  2020730 - ET CURRENT_EVENTS Angler EK XTEA encrypted binary (22)
(current_events.rules)
  2020731 - ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (URI
data) (web_specific_apps.rules)
  2020732 - ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (POST
data) (web_specific_apps.rules)
  2020733 - ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass
(cookie) (web_specific_apps.rules)

 Pro:

  2810171 - ETPRO POLICY DNS Query to .onion proxy Domain
(tor-explorer.org) (policy.rules)
  2810172 - ETPRO POLICY DNS Query to .onion proxy Domain
(42k0b13.net) (policy.rules)
  2810173 - ETPRO POLICY DNS Query to .onion proxy Domain
(42kjb11.net) (policy.rules)
  2810174 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.sx Checkin
(mobile_malware.rules)
  2810175 - ETPRO MOBILE_MALWARE Riskware Android/Secapk.F Checkin
(mobile_malware.rules)
  2810176 - ETPRO TROJAN DoS.Linux/Elknot.G Variant Checkin (trojan.rules)
  2810177 - ETPRO MOBILE_MALWARE Android/ScamApp.I Checkin
(mobile_malware.rules)
  2810178 - ETPRO MOBILE_MALWARE Riskware Android/SMSreg.QR Checkin
(mobile_malware.rules)
  2810179 - ETPRO MALWARE PUP.OptimumBoost Installer Checkin (malware.rules)
  2810180 - ETPRO TROJAN Malicious Office Doc CnC Beacon (trojan.rules)
  2810181 - ETPRO TROJAN Malicious Office Doc Retrieving PE (trojan.rules)

 [///]     Modified active rules:     [///]

  2011582 - ET POLICY Vulnerable Java Version 1.6.x Detected (policy.rules)
  2016867 - ET TROJAN Backdoor.Win32.Pushdo.s Checkin (trojan.rules)
  2019172 - ET TROJAN Linux.DDoS Checkin (trojan.rules)
  2808940 - ETPRO MOBILE_MALWARE AndroidOS.Wintertiger.A Checkin
(mobile_malware.rules)
  2809563 - ETPRO MOBILE_MALWARE Android.Trojan.Lovespy.D Checkin
(mobile_malware.rules)
  2810084 - ETPRO TROJAN Win32.Androm.gljb Trojan Checkin (trojan.rules)
  2810086 - ETPRO TROJAN Win32.Loadmoney Checkin 2 (trojan.rules)
  2810094 - ETPRO USER_AGENTS Win32.LoadMoney User Agent (user_agents.rules)
  2810131 - ETPRO TROJAN VaultCrypt .onion Proxy Domain
(tj2es2lrxelpknfp) (trojan.rules)

 [---]         Removed rules:         [---]

  2808534 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.Y (mobile_malware.rules)
  2809852 - ETPRO TROJAN Trojan-Ransom.BAT.Scatter.ag .onion Proxy
Domain (trojan.rules)
James Lay | 23 Mar 13:54 2015
Picon

Re: [Snort-users] Etpro pulled pork question

Message was discarded by filter '\Custom\Strong\PHP' on line 1

Envelope (RCP file content):
Message-ID: B0437199208@...
Return-path: snort-users-bounces@...
Received-From-MTA: lists.sourceforge.net (unverified [216.34.181.88])
Arrival-Date: 1425992800 (Tue, 10 Mar 2015 09:06:40 -0400)
Origin-IP: 216.34.181.88
X-Modus-WasEncrypted: YES
X-Modus-BlackList: 216.34.181.88=OK;snort-users-bounces@...ge.net=OK
X-Modus-RBL: 216.34.181.88=OK
X-Modus-Trusted: 216.34.181.88=NO
X-Modus-Audit: TRUE;5;-28051960418533861;130708839555760000
X-CustID: 687
X-Modus-BuildNumber: 214.18364
DomainKey-Status: 0
Resolved-Return-path: snort-users-bounces@...
X-Modus-BATV: OFF
X-Modus-SRSRBL: OK
X-Sender-Origin: EXTERNAL

Recipient: brownr@...
Original-Address: brownr@...
Dsn-Original-Recipient: rfc822;brownr@...
Local-Status: Incoming

Picon
From: James Lay <jlay@...>
Subject: Re: [Snort-users] Etpro pulled pork question
Date: 2015-03-10 12:59:22 GMT

On Wed, 2015-02-18 at 10:56 -0700, James Lay wrote:
On 2015-02-17 02:20 PM, James Lay wrote: > On 2015-02-17 12:45 PM, Shirkdog wrote: >> Thanks, I was about to say bug it and we will take a look. >> >> --- >> Michael Shirk <<<< redacted, long story short etpro rules and pulled pork issue with ignore >>> > And the last tidbit of this is for using the open-gpl emerging > threats ruleset: > > Prepping rules from emerging.rules.tar.gz for work.... > extracting contents of /tmp/emerging.rules.tar.gz... > Ignoring plaintext rules: emerging-policy.rules > Extracted: /tha_rules/ET-emerging-snmp.rules > > I noticed that these are extracted as ET-emerging-<ruleset > name>.rules whereas etpro is extracted as ET-<ruleset name>.rules. > I'm going to bet that has something to do with it. > > James So....as I continue to look at this, I see the below: [17:24:16 idsdev:/tmp$] tar tvf emerging.rules.tar.gz | head -n 5 drwxr-xr-x root/root 0 2015-02-18 05:09 rules/ -rw-r--r-- root/root 8895 2015-02-18 05:09 rules/emerging-snmp.rules -rw-r--r-- root/root 2243 2015-02-18 05:09 rules/emerging-icmp.rules -rw-r--r-- root/root 28088 2015-02-18 05:09 rules/emerging-user_agents.rules -rw-r--r-- root/root 1934 2015-02-18 05:09 rules/emerging-rbn.rules [17:27:59 idsdev:/tmp$] tar tvf etpro.rules.tar.gz | head -n 5 drwxr-xr-x root/root 0 2015-02-13 21:06 rules/ -rw-r--r-- root/root 414746 2015-02-13 21:06 rules/exploit.rules -rw-r--r-- root/root 7767 2015-02-13 21:06 rules/tftp.rules -rw-r--r-- root/root 18958 2015-02-13 21:06 rules/misc.rules -rw-r--r-- root/root 30016 2015-02-13 21:06 rules/ETPRO-License.txt I think this explains it.....open rules are prepended with "emerging-", and the etpro rules are not. PP is expecting to see "emerging-" and isn't getting it...pp CAN'T ignore emerging-policy.rules because it doesn't exist. And specifying just policy.rules ignores both VRT and ETPro policy.rules. I would recommend two things: 1) change the way etpro rules are delivered to prepend "etpro-" to each .rules file 2) add the additional stanza in pp to understand that a) rules with emerging- are open source emerging threats, b) rules with etpro- are ET Pro rules, and c) rules with nothing are considered VRT/Community Cisco/Sourcfire rules. A possible other option would be to have PP preform the ignore after extraction when all the rules are in /tmp/tha_rules/. At that point we really could specify ET-policy.rules or VRT-policy.rules in the ignore= line and have it match since those file exists. The caveat would be that we might have to specify both ET-policy.rules and VRT-policy.rules instead of just policy.rules to ignore both sets. I guess we could call this a "rules collision attack" :). Thanks all. James _______________________________________________ Emerging-sigs mailing list Emerging-sigs-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

Requesting any movement on this and sending to Snort Users list as well.  Thread should say it all.  Thank you.

James
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users@...
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________
Snort-users mailing list
Snort-users@...
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Francis Trudeau | 20 Mar 23:13 2015
Picon

Daily Ruleset Update Summary 2015/03/20

 [***] Summary: [***]

 Summary:  8 new Open signatures, 16 new Pro (8 + 8).  RIG EK,
FindPOS, Win32.Cozer, Twiki Debugenableplugins RCE.

 Thanks: Nathan Fowler, Ify Ajokubi, Kevin Ross,  <at> kafeine and  <at> EKWatcher.

 [+++]          Added rules:          [+++]

 Open:

  2020717 - ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M1
(trojan.rules)
  2020718 - ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M2
(trojan.rules)
  2020720 - ET CURRENT_EVENTS RIG Payload URI Struct March 20 2015
(current_events.rules)
  2020721 - ET CURRENT_EVENTS RIG Exploit URI Struct March 20 2015
(current_events.rules)
  2020722 - ET CURRENT_EVENTS RIG Landing URI Struct March 20 2015
(current_events.rules)
  2020723 - ET TROJAN FindPOS Checkin (trojan.rules)
  2020724 - ET TROJAN KeyLogger related to FindPOS CnC Beacon (trojan.rules)
  2020725 - ET CURRENT_EVENTS RIG EK Landing March 20 2015
(current_events.rules)

 Pro:

  2810163 - ETPRO TROJAN Win32.Cozer Cert (trojan.rules)
  2810164 - ETPRO TROJAN Win32/Tepoyx.A SSL Cert (trojan.rules)
  2810165 - ETPRO WEB_SPECIFIC_APPS Twiki Debugenableplugins RCE
Attempt (web_specific_apps.rules)
  2810166 - ETPRO TROJAN Probably Evil MS Office HTTP request to
savepic.su (trojan.rules)
  2810167 - ETPRO WEB_SPECIFIC_APPS Joomla ECommerce-WD Plugin SQLi
Attempt (web_specific_apps.rules)
  2810168 - ETPRO MOBILE_MALWARE Android/Rlove.A Checkin 2
(mobile_malware.rules)
  2810169 - ETPRO TROJAN Win32/TrojanDownloader.Blocrypt Conn Check
(trojan.rules)
  2810170 - ETPRO TROJAN Chthonic CnC Beacon 3 (trojan.rules)

 [///]     Modified active rules:     [///]

  2014099 - ET TROJAN Exploit Kit Delivering Office File to Client
(trojan.rules)
  2807957 - ETPRO TROJAN Win32/TrojanDownloader.Blocrypt Checkin (trojan.rules)
  2809702 - ETPRO TROJAN Win32/Teslacrypt Ransomware .onion domain
(7tno4hib47vlep5o) (trojan.rules)
  2809996 - ETPRO TROJAN Possible Ransomware Variant .onion Proxy
Domain (trojan.rules)
  2810074 - ETPRO TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon
Response (trojan.rules)
  2810075 - ETPRO TROJAN Win32/Teslacrypt Ransomware .onion Proxy
Domain (34r6hq26q2h4jkzj) (trojan.rules)

 [---]         Removed rules:         [---]

  2810072 - ETPRO TROJAN Win32/Tescrypt Ransomware HTTP CnC Beacon M1
(trojan.rules)
  2810073 - ETPRO TROJAN Win32/Tescrypt Ransomware HTTP CnC Beacon M2
(trojan.rules)
Duane Howard | 20 Mar 21:46 2015
Picon

Standardize naming for C2 and other stuff?

Hey folks,

I was wondering how crazy it would be to get the list to standardize on certain keywords that are often used in messages, for example in the subset of rules I'm using I see the following rough counts:

CNC - 4
CnC - 714
C2 - 168
C&C - 74
Command and Control - 2

These all mean the same thing, it would be nice (for searchability, etc.) to minimize the number of strings we need to look for if searching for this type of traffic. I'm personally biased toward using C2, but it seems (by the numbers) that CnC is the preferred option here.

Also, is it possible to s/GhOst/Gh0st/ in sid:2013214 ?

Thanks!
./d
<div><div dir="ltr">Hey folks,<div><br></div>
<div>I was wondering how crazy it would be to get the list to standardize on certain keywords that are often used in messages, for example in the subset of rules I'm using I see the following rough counts:</div>
<div>
<div><br></div>
<div>CNC - 4</div>
<div>CnC - 714</div>
<div>C2 - 168</div>
<div>C&amp;C - 74</div>
<div>Command and Control - 2</div>
</div>
<div><br></div>
<div>These all mean the same thing, it would be nice (for searchability, etc.) to minimize the number of strings we need to look for if searching for this type of traffic. I'm personally biased toward using C2, but it seems (by the numbers) that CnC is the preferred option here.</div>
<div><br></div>
<div>Also, is it possible to s/GhOst/Gh0st/ in sid:2013214 ?</div>
<div><br></div>
<div>Thanks!</div>
<div>./d</div>
</div></div>
Kevin Ross | 20 Mar 15:28 2015

SIG: ET TROJAN W32/Filecoder.Ransomware Initial HTTP CnC Beacon

Hi,

Here is a signature for W32/Filecoder ransomware. It is based on the HTTP traffic from the system (isolated faked network responses) which translates to the following (you can see it in attached picture). Effectively I am matching this bit Subject=Ping&key= of the base64 string:

?Subject=Ping&key=REMOVED&addr=REMOVED&files=0&size=0&version=0.3.3c&date=REMOVED&OS=REMOVED&ID=33&subid=0&gate=G1&is_admin=1&is_64=REMOVED&ip=REMOVED

Also I noticed that these parameters appear in the clear in memory ready to accept the variables (i.e &ip=%)  and I have created a Yara rule for people scan the memory of the system - if the CnC completes it will be obvious the machine is infected but in case you have a suspected machine or are analyzing this in sandbox.

Kind Regards,
Kevin Ross


SURICATA SIG:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Filecoder.Ransomware Initial HTTP CnC Beacon"; flow:established,to_server; content:"?U3ViamVjdD1QaW5nJmtleT0"; http_uri; classtype:trojan-activity; reference:md5,7616872b3a200264a8d476db29be2313; sid:156611; rev:1;)

YARA VOLATILITY MEMORY SCANNING RULE:
rule Filecoder_Ransomware
{
    meta:
        description = "Found Filecoder ransomware CnC"

    strings:
        $filecoder1 = "&files="
        $filecoder2 = "&size="
        $filecoder3 = "&version="
        $filecoder4 = "&OS="
        $filecoder5 = "&ID="
        $filecoder6 = "&subid="
        $filecoder7 = "&gate="
        $filecoder8 = "&is_admin="
        $filecoder9 = "&is_64="
        $filecoder10 = "&ip="

    condition:
        all of them
}
<div><div dir="ltr">
<div>
<div>
<div>
<div>Hi,<br><br>
</div>Here is a signature for W32/Filecoder ransomware. It is based on the HTTP traffic from the system (isolated faked network responses) which translates to the following (you can see it in attached picture). Effectively I am matching this bit Subject=Ping&amp;key= of the base64 string:<br><br>?Subject=Ping&amp;key=REMOVED&amp;addr=REMOVED&amp;files=0&amp;size=0&amp;version=0.3.3c&amp;date=REMOVED&amp;OS=REMOVED&amp;ID=33&amp;subid=0&amp;gate=G1&amp;is_admin=1&amp;is_64=REMOVED&amp;ip=REMOVED<br><br>
</div>Also I noticed that these parameters appear in the clear in memory ready to accept the variables (i.e &amp;ip=%)&nbsp; and I have created a Yara rule for people scan the memory of the system - if the CnC completes it will be obvious the machine is infected but in case you have a suspected machine or are analyzing this in sandbox.<br><br>
</div>Kind Regards,<br>
</div>Kevin Ross<br><div><div><div><div>
<br><br>SURICATA SIG:<br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN 
W32/Filecoder.Ransomware Initial HTTP CnC Beacon"; 
flow:established,to_server; content:"?U3ViamVjdD1QaW5nJmtleT0"; http_uri; classtype:trojan-activity; reference:md5,7616872b3a200264a8d476db29be2313; sid:156611; rev:1;)<br><br>YARA VOLATILITY MEMORY SCANNING RULE:<br>rule Filecoder_Ransomware<br>{<br>&nbsp;&nbsp;&nbsp; meta:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description = "Found Filecoder ransomware CnC"<br><br>&nbsp;&nbsp;&nbsp; strings:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $filecoder1 = "&amp;files="<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $filecoder2 = "&amp;size="<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $filecoder3 = "&amp;version="<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $filecoder4 = "&amp;OS="<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $filecoder5 = "&amp;ID="<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $filecoder6 = "&amp;subid="<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $filecoder7 = "&amp;gate="<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $filecoder8 = "&amp;is_admin="<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $filecoder9 = "&amp;is_64="<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $filecoder10 = "&amp;ip="<br><br>&nbsp;&nbsp;&nbsp; condition:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; all of them<br>}<br>
</div></div></div></div>
</div></div>
Francis Trudeau | 20 Mar 00:04 2015
Picon

Daily Ruleset Update Summary 2015/03/19

 [***] Summary: [***]

 7 new Open signatures, 20 new Pro (7 + 13).  9002 RAT, Cryptolocker,
ProxyChanger, Zbot.urtu.

 Thanks:  Young Jack Mott and Kevin Ross.

 [+++]          Added rules:          [+++]

 Open:

  2020710 - ET CURRENT_EVENTS Fake Windows Security Warning - Alert
(current_events.rules)
  2020711 - ET CURRENT_EVENTS Fake Windows Security Warning - png
(current_events.rules)
  2020712 - ET MALWARE AdWare.Win32.BetterSurf.b SSL Cert (malware.rules)
  2020713 - ET TROJAN 9002 RAT C&C DNS request (trojan.rules)
  2020714 - ET TROJAN HOMEUNIX/9002 CnC Beacon (trojan.rules)
  2020715 - ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19
2015 (current_events.rules)
  2020716 - ET POLICY Possible External IP Lookup ipinfo.io (policy.rules)

 Pro:

  2810150 - ETPRO TROJAN Exaction Cryptolocker .onion Proxy Domain
(iupfnqg2uaigwoei) (trojan.rules)
  2810151 - ETPRO TROJAN Trojan-Spy.Win32.Zbot.urtu .onion Proxy
Domain (4tsur32luets6fhe) (trojan.rules)
  2810152 - ETPRO TROJAN Win32/Kilim.A C2 (trojan.rules)
  2810153 - ETPRO MOBILE_MALWARE Android/AdDisplay.Wooboo.C Checkin
(mobile_malware.rules)
  2810154 - ETPRO TROJAN Win32.ProxyChanger.TH Checkin (trojan.rules)
  2810155 - ETPRO TROJAN WIN32.AGENT.IEEO Checkin 1 (trojan.rules)
  2810156 - ETPRO TROJAN WIN32.AGENT.IEEO Checkin 2 (trojan.rules)
  2810157 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.ke Checkin
2 (mobile_malware.rules)
  2810158 - ETPRO TROJAN Win32/Hyteod Initial CnC Beacon (trojan.rules)
  2810159 - ETPRO TROJAN Win32/Hyteod Initial CnC Beacon Response (trojan.rules)
  2810160 - ETPRO TROJAN Chanitor .onion Proxy Domain
(xlc2opjy2iniygev) (trojan.rules)
  2810161 - ETPRO MOBILE_MALWARE Android.Adware.Mobclick.A Checkin
(mobile_malware.rules)
  2810162 - ETPRO TROJAN Unknown.KR Keepalive (trojan.rules)

 [///]     Modified active rules:     [///]

  2020078 - ET TROJAN RocketKitten APT Checkin (trojan.rules)

 [---]         Disabled rules:        [---]

  2017376 - ET CURRENT_EVENTS Possible BHEK Landing URI Format
(current_events.rules)

 [---]         Removed rules:         [---]

  2810096 - ETPRO POLICY Possible External IP Lookup ipinfo.io (policy.rules)
Kevin Ross | 19 Mar 21:33 2015

SIG: ET POLICY Ipinfo.io External IP Address Lookup

Hi,

The file MD5 is 7616872b3a200264a8d476db29be2313. Extracted binary from this PCAP http://www.threatglass.com/malicious_urls/bg-mamma-com. Screenshots below of it in sandbox (no real internet access run).

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Ipinfo.io External IP Address Lookup"; flow:established,to_server; urilen:3; content:"/ip"; http_uri; depth:3; content:"Host|3A| ipinfo.io"; http_header; classtype:bad-unknown; sid:167711; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>
<div>Hi,<br><br>
</div>
<div>The file MD5 is <span class="">7616872b3a200264a8d476db29be2313. Extracted binary from this PCAP <a href="http://www.threatglass.com/malicious_urls/bg-mamma-com">http://www.threatglass.com/malicious_urls/bg-mamma-com</a>. Screenshots below of it in sandbox (no real internet access run).<br></span>
</div>
<div>
<br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET POLICY Ipinfo.io External IP Address Lookup"; flow:established,to_server; urilen:3; content:"/ip"; http_uri; depth:3; content:"Host|3A| <a href="http://ipinfo.io">ipinfo.io</a>"; http_header; classtype:bad-unknown; sid:167711; rev:1;)<br><br><br>
</div>Kind Regards,<br>
</div>Kevin Ross<br>
</div></div>

Gmane