Jake Warren | 27 Apr 22:59 2015

Misc. Rules

Hi ET & Community,

Thought I would contribute a few rules I wrote recently.

#seeing lots of this activity over the past week.
alert udp $HOME_NET any -> any 53 (msg:"Mewsei/NionSpy .onion domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|z3mm6cupmtw5b2xx"; fast_pattern; nocase; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector; classtype:trojan-activity; sid:xxxx; rev:1;)

#not 100% sure this sinkhole is only for TeslaCrypt but lots of TeslaCrypt C&C domains sinkholed here.
alert udp any 53 -> $HOME_NET any (msg:"TeslaCrypt DNS Sinkhole Reply (Team CYMRU)"; content:"|00 01 00 01|"; content:"|00 04 26 E5 46 04|"; distance:4; within:6; classtype:trojan-activity; sid:xxxx; rev:1;)

alert udp any 53 -> $HOME_NET any (msg:"Kaspersky DNS Sinkhole Reply"; content:"|00 01 00 01|"; content:"|00 04 5F D3 AC 8F|"; distance:4; within:6; classtype:trojan-activity; sid:xxxx; rev:1;)

alert udp any 53 -> $HOME_NET any (msg:"Wapack Labs DNS Sinkhole Reply"; content:"|00 01 00 01|"; content:"|00 04 17 FD 2E 40|"; distance:4; within:6; classtype:trojan-activity; sid:xxxx; rev:1;)

#these are optional. Heartbleed is already covered but I like the high accuracy of these alerts
alert tcp any any -> $HOME_NET any (msg:"Nmap NSE Heartbleed Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:bad-unknown; sid:xxxx; rev:1;)

alert tcp $HOME_NET any -> any any (msg:"Nmap NSE Heartbleed Response"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:bad-unknown; sid:xxxx; rev:1;)

Regards,
Jake Warren
<div><div dir="ltr">
<div>Hi ET &amp; Community,<br><br>
</div>Thought I would contribute a few rules I wrote recently.<br><div><div>
<br clear="all"><div><div><div dir="ltr"><div><div dir="ltr">
<div>#seeing lots of this activity over the past week.<br>alert udp $HOME_NET any -&gt; any 53 (msg:"Mewsei/NionSpy .onion domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|z3mm6cupmtw5b2xx"; fast_pattern; nocase; distance:0; reference:url,<a href="http://blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector" target="_blank">blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector</a>; classtype:trojan-activity; sid:xxxx; rev:1;)<br><br>
</div>
<div>#not 100% sure this sinkhole is only for TeslaCrypt but lots of TeslaCrypt C&amp;C domains sinkholed here.<br>
</div>
<div>alert udp any 53 -&gt; $HOME_NET any (msg:"TeslaCrypt DNS Sinkhole Reply (Team CYMRU)"; content:"|00 01 00 01|"; content:"|00 04 26 E5 46 04|"; distance:4; within:6; classtype:trojan-activity; sid:xxxx; rev:1;)<br><br>alert udp any 53 -&gt; $HOME_NET any (msg:"Kaspersky DNS Sinkhole Reply"; content:"|00 01 00 01|"; content:"|00 04 5F D3 AC 8F|"; distance:4; within:6; classtype:trojan-activity; sid:xxxx; rev:1;)<br><br>alert udp any 53 -&gt; $HOME_NET any (msg:"Wapack Labs DNS Sinkhole Reply"; content:"|00 01 00 01|"; content:"|00 04 17 FD 2E 40|"; distance:4; within:6; classtype:trojan-activity; sid:xxxx; rev:1;)<br><br>
</div>
<div>#these are optional. Heartbleed is already covered but I like the high accuracy of these alerts<br>
</div>
<div>alert tcp any any -&gt; $HOME_NET any (msg:"Nmap NSE Heartbleed Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,&lt;,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,&gt;,2,3; byte_test:2,&gt;,200,6; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:bad-unknown; sid:xxxx; rev:1;)<br><br>alert tcp $HOME_NET any -&gt; any any (msg:"Nmap NSE Heartbleed Response"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,&lt;,4,2; byte_test:2,&gt;,200,3; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:bad-unknown; sid:xxxx; rev:1;)<br><br>
</div>
<div>Regards,<br>
</div>
<div>Jake Warren<br>
</div>
</div></div></div></div></div>
</div></div>
</div></div>
Kevin Ross | 27 Apr 12:48 2015

SIG: ET MALWARE W32/Softpulse.PUP Install Beacon

FYI for a PUP this file does disk checks, anti-VM checks, common sandbox tests etc

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Softpulse.PUP Install Beacon"; flow:established,to_server; content:"/store/?sentry_version="; http_uri; content:"&sentry_client="; http_uri; content:"&sentry_key="; http_uri; content:"&sentry_secret="; http_uri; content:"&sentry_data="; http_uri; classtype:trojan-activity; reference:md5,bb9f26d52327979fb9b4d467408eba25; sid:1566211; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>FYI for a PUP this file does disk checks, anti-VM checks, common sandbox tests etc<br><br>
</div>
<div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET MALWARE W32/Softpulse.PUP Install Beacon"; flow:established,to_server; content:"/store/?sentry_version="; http_uri; content:"&amp;sentry_client="; http_uri; content:"&amp;sentry_key="; http_uri; content:"&amp;sentry_secret="; http_uri; content:"&amp;sentry_data="; http_uri; classtype:trojan-activity; reference:md5,bb9f26d52327979fb9b4d467408eba25; sid:1566211; rev:1;)<br><br><br>Kind Regards,<br>Kevin Ross<br>
</div>
</div></div>
rmkml | 25 Apr 13:42 2015
Picon

Spamhaus is back on fw block lists ?

Hello,

Could you confirm Spamhaus is back please ?

Regards
 <at> Rmkml
Francis Trudeau | 25 Apr 00:17 2015
Picon

Daily Ruleset Update Summary 2015/04/24

 [***] Results from Oinkmaster started Fri Apr 24 17:53:10 2015 [***]

 27 new Open signatures, 37 new Pro (27 + 10).  Fiesta, Dridex,
Sundown, Dalexis.

 Thanks:  James Lay, Kevin Ross and  <at> kafeine.

 [+++]          Added rules:          [+++]

 Open:

  2020985 - ET CURRENT_EVENTS Sundown EK Secondary Landing Apr 20 2015
(current_events.rules)
  2020986 - ET CURRENT_EVENTS Possible Dridex Downloader SSL
Certificate (current_events.rules)
  2020987 - ET CURRENT_EVENTS Download file with Powershell via LNK
file (observed in Sundown EK) (current_events.rules)
  2020988 - ET CURRENT_EVENTS Possible Sundown EK URI Struct T1 Apr 24
2015 (current_events.rules)
  2020989 - ET CURRENT_EVENTS Possible Sundown EK Payload Struct T1
Apr 24 2015 (current_events.rules)
  2020990 - ET CURRENT_EVENTS Sundown EK Secondary Landing T1 M2 Apr
24 2015 (current_events.rules)
  2020991 - ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M1
Apr 24 2015 (current_events.rules)
  2020992 - ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M2
Apr 24 2015 (current_events.rules)
  2020993 - ET CURRENT_EVENTS IonCube Encoded Page (no alert)
(current_events.rules)
  2020994 - ET CURRENT_EVENTS Possible Sundown EK Flash Exploit Struct
T2 Apr 24 2015 (current_events.rules)
  2020995 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M0
(current_events.rules)
  2020996 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M1
(current_events.rules)
  2020997 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M2
(current_events.rules)
  2020998 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M3
(current_events.rules)
  2020999 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M4
(current_events.rules)
  2021000 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M5
(current_events.rules)
  2021001 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M6
(current_events.rules)
  2021002 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M7
(current_events.rules)
  2021003 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M8
(current_events.rules)
  2021004 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M9
(current_events.rules)
  2021005 - ET WEB_SPECIFIC_APPS Vulnerable Magento Adminhtml Access
(web_specific_apps.rules)
  2021006 - ET TROJAN Email Contains InternetOpen WinInet API Call -
Potentially Dridex MalDoc 1 (trojan.rules)
  2021007 - ET TROJAN Email Contains InternetOpen WinInet API Call -
Potentially Dridex MalDoc 2 (trojan.rules)
  2021008 - ET TROJAN Email Contains InternetOpen WinInet API Call -
Potentially Dridex MalDoc 3 (trojan.rules)
  2021009 - ET TROJAN Email Contains wininet.dll Call - Potentially
Dridex MalDoc 1 (trojan.rules)
  2021010 - ET TROJAN Email Contains wininet.dll Call - Potentially
Dridex MalDoc 2 (trojan.rules)
  2021011 - ET TROJAN Email Contains wininet.dll Call - Potentially
Dridex MalDoc 3 (trojan.rules)

 Pro:

  2810767 - ETPRO MOBILE_MALWARE Android/SMSreg.HI Checkin 2
(mobile_malware.rules)
  2810768 - ETPRO POLICY DNS Query to .onion proxy Domain
(dfj3d8w3n27.com) (policy.rules)
  2810769 - ETPRO POLICY DNS Query to .onion proxy Domain
(torlocator.org) (policy.rules)
  2810770 - ETPRO POLICY DNS Query to .onion proxy Domain
(aw49f4j3n26.com) (policy.rules)
  2810771 - ETPRO POLICY DNS Query to .onion proxy Domain
(7hwr34n18.com) (policy.rules)
  2810772 - ETPRO MALWARE Win32.PSW.OnLineGames Checkin (malware.rules)
  2810773 - ETPRO MALWARE Win32.Adware.Kraddare Checkin (malware.rules)
  2810774 - ETPRO MALWARE PUP/Win32.ZaxarGames Download (malware.rules)
  2810775 - ETPRO TROJAN Win32/Dalexis.F Dropping Files (trojan.rules)
  2810776 - ETPRO SCADA Possible CVE-2015-0984 Honeywell Falcon XLWEB
Login Attempt (scada.rules)

 [///]     Modified active rules:     [///]

  2010067 - ET POLICY Data POST to an image file (jpg) (policy.rules)
  2810752 - ETPRO TROJAN Tempedreve Checkin (trojan.rules)
  2810753 - ETPRO TROJAN Win32/Spy.Banbra.HE Fetching Config (trojan.rules)
Kevin Ross | 24 Apr 13:43 2015

SIGS: Dridex Macro Docs in Emails

These seem to be capable of detecting the Dridex Macros in emails as they have fired for me. Hopefully it will be able to find others too not specifically Dridex.

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc"; flow:established,to_server; content:"SW50ZXJuZXRPcGVu"; fast_pattern:only; classtype:trojan-activity; sid:156111; rev:1;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Email Contains wininet.dll Call - Potentially Dridex MalDoc"; flow:established,to_server; content:"d2luaW5ldC5kbGw"; fast_pattern:only; classtype:trojan-activity; sid:156112; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>These seem to be capable of detecting the Dridex Macros in emails as they have fired for me. Hopefully it will be able to find others too not specifically Dridex.<br><br>alert smtp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"ET TROJAN Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc"; flow:established,to_server; content:"SW50ZXJuZXRPcGVu"; fast_pattern:only; classtype:trojan-activity; sid:156111; rev:1;)<br><br>
</div>
<div>alert smtp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"ET TROJAN Email Contains wininet.dll Call - Potentially Dridex MalDoc"; flow:established,to_server; content:"d2luaW5ldC5kbGw"; fast_pattern:only; classtype:trojan-activity; sid:156112; rev:1;)<br><br><br>Kind Regards,<br>Kevin Ross<br>
</div>
</div></div>
Kevin Ross | 24 Apr 12:02 2015

SIG: ET CURRENT_EVENTS Dridex.Maldoc Numerical Executable Request

This is to cover a hole in some detection when a user agent is not used as this is covered by sig ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request. Basically with and without user agents is what I see most of the time with numerical patterns now.
 
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex.Maldoc Numerical Executable Request"; flow:established,to_server; urilen:<15; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; pcre:"/^\/\d{1,4}\/\d{1,4}\.exe$/U"; content:".exe HTTP/1.1|0D 0A|Host|3a|"; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20[^\r\n]*\x0D\x0A/Hmi"; reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting; classtype:trojan-activity; sid:155511: rev:1;)

Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>
<div>This is to cover a hole in some detection when a user agent is not used as this is covered by sig ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request. Basically with and without user agents is what I see most of the time with numerical patterns now.<br>&nbsp;<br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex.Maldoc Numerical Executable Request"; flow:established,to_server; urilen:&lt;15; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; pcre:"/^\/\d{1,4}\/\d{1,4}\.exe$/U"; content:".exe HTTP/1.1|0D 0A|Host|3a|"; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20[^\r\n]*\x0D\x0A/Hmi"; reference:url,<a href="http://blogs.cisco.com/security/dridex-attacks-target-corporate-accounting">blogs.cisco.com/security/dridex-attacks-target-corporate-accounting</a>; classtype:trojan-activity; sid:155511: rev:1;)<br><br>
</div>Kind Regards,<br>
</div>Kevin Ross<br>
</div></div>
Francis Trudeau | 24 Apr 00:28 2015
Picon

Daily Ruleset Update Summary 2015/04/23

 [***] Summary: [***]

 9 new Open signatures, 23 new Pro (9 + 14).  Fiesta EK, Rovnix.P, Dridex.

 Thanks:  Jake Warren and  <at> rmkml.

 [+++]          Added rules:          [+++]

Open:

  2020976 - ET EXPLOIT Possible Redirect to SMB exploit attempt - 307
(exploit.rules)
  2020977 - ET EXPLOIT Possible Redirect to SMB exploit attempt - 303
(exploit.rules)
  2020978 - ET TROJAN DDoS.Win32.Agent.bay Variant Covert Channel
(VERSONEX) (trojan.rules)
  2020979 - ET CURRENT_EVENTS Fiesta EK Landing Apr 23 2015
(current_events.rules)
  2020980 - ET CURRENT_EVENTS Fiesta EK IE Exploit Apr 23 2015
(current_events.rules)
  2020981 - ET CURRENT_EVENTS Fiesta EK Flash Exploit Apr 23 2015
(current_events.rules)
  2020982 - ET CURRENT_EVENTS Fiesta EK SilverLight Exploit Apr 23
2015 (current_events.rules)
  2020983 - ET CURRENT_EVENTS Fiesta EK Java Exploit Apr 23 2015
(current_events.rules)
  2020984 - ET CURRENT_EVENTS Fiesta EK PDF Exploit Apr 23 2015
(current_events.rules)

 Pro:

  2810753 - ETPRO TROJAN Win32/Spy.Banbra.HE Fetching Config (trojan.rules)
  2810754 - ETPRO TROJAN Trojan-Banker.Win32.Banbra.dou Checkin (trojan.rules)
  2810755 - ETPRO TROJAN Likely Dridex Generic SSL Cert (trojan.rules)
  2810756 - ETPRO TROJAN Win32/Rovnix.P Retrieving .dat (trojan.rules)
  2810757 - ETPRO TROJAN Win32/Rovnix.P HTTP GET CnC Beacon (trojan.rules)
  2810758 - ETPRO TROJAN Win32/Rovnix.P HTTP POST CnC Beacon 1 (trojan.rules)
  2810759 - ETPRO TROJAN Win32/Rovnix.P HTTP POST CnC Beacon 2 (trojan.rules)
  2810760 - ETPRO POLICY IP Check ip.xss.ru (policy.rules)
  2810761 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(atractin.1) (trojan.rules)
  2810762 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(16054) (trojan.rules)
  2810763 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(16050) (trojan.rules)
  2810764 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(veXTFTkM.1) (trojan.rules)
  2810765 - ETPRO TROJAN Win32/Rovnix.P Posting stolen data (trojan.rules)
  2810766 - ETPRO MOBILE_MALWARE Unknown Checkin (mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2020300 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23
2015 (current_events.rules)
Francis Trudeau | 23 Apr 03:25 2015
Picon

Daily Ruleset Update Summary 2015/04/22

 [***] Summary: [***]

 16 new Open signatures, 36 new Pro.  CozyDuke, Nuclear EK, PoisonIvy.

 Thanks:   <at> EKWatcher.

 [+++]          Added rules:          [+++]

 Open:

  2020960 - ET TROJAN Possible Graftor Downloading Dridex (trojan.rules)
  2020961 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)
  2020962 - ET TROJAN CozyDuke APT HTTP Checkin (trojan.rules)
  2020963 - ET TROJAN CozyDuke APT HTTP GET CnC Beacon (trojan.rules)
  2020964 - ET TROJAN CozyDuke APT HTTP POST CnC Beacon (trojan.rules)
  2020965 - ET TROJAN CozyDuke APT HTTP CnC Beacon Response (trojan.rules)
  2020966 - ET TROJAN CozyDuke APT Possible SSL Cert 1 (trojan.rules)
  2020967 - ET TROJAN CozyDuke APT Possible SSL Cert 2 (trojan.rules)
  2020968 - ET TROJAN CozyDuke APT Possible SSL Cert 3 (trojan.rules)
  2020969 - ET TROJAN CozyDuke APT Possible SSL Cert 4 (trojan.rules)
  2020970 - ET TROJAN CozyDuke APT Possible SSL Cert 5 (trojan.rules)
  2020971 - ET TROJAN CozyDuke APT Possible SSL Cert 6 (trojan.rules)
  2020972 - ET TROJAN CozyDuke APT Possible SSL Cert 7 (trojan.rules)
  2020973 - ET POLICY Petite Packed Binary Download (policy.rules)
  2020974 - ET TROJAN CozyDuke APT Possible SSL Cert 8 (trojan.rules)
  2020975 - ET CURRENT_EVENTS Nuclear EK Landing Apr 22 2015
(current_events.rules)

 Pro:

  2810733 - ETPRO TROJAN TrojanSpy.Win32/Mafod Checkin (trojan.rules)
  2810734 - ETPRO TROJAN Win32.Androm.gnlb Checkin (trojan.rules)
  2810735 - ETPRO TROJAN Banker.Win32.Banbra Checkin (trojan.rules)
  2810736 - ETPRO MALWARE PUA.Win32.Bang5mai.B Checkin (malware.rules)
  2810737 - ETPRO TROJAN Simda CnC Beacon (trojan.rules)
  2810738 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(1LTSb2bdNHuNNmGnCWfVrxuDXWZ52Atubs) (trojan.rules)
  2810739 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(paranoia1.1) (trojan.rules)
  2810740 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(LZA8F5DgmTCTbdUR1AXpnvuVVFEXbKxcNH) (trojan.rules)
  2810741 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(16134) (trojan.rules)
  2810742 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(Intercepter.1) (trojan.rules)
  2810743 - ETPRO TROJAN Win32/Banker.VJ Reporting Checkin Via SMTP
(trojan.rules)
  2810744 - ETPRO TROJAN PoisonIvy Keepalive to CnC 143 (trojan.rules)
  2810745 - ETPRO TROJAN PoisonIvy Keepalive to CnC 144 (trojan.rules)
  2810746 - ETPRO TROJAN PoisonIvy Keepalive to CnC 145 (trojan.rules)
  2810747 - ETPRO TROJAN PoisonIvy Keepalive to CnC 146 (trojan.rules)
  2810748 - ETPRO TROJAN PoisonIvy Keepalive to CnC 147 (trojan.rules)
  2810749 - ETPRO TROJAN Win32/Cromptui.C Possible SSL Cert (trojan.rules)
  2810750 - ETPRO MALWARE MixVideoPlayer.A CnC Beacon (malware.rules)
  2810751 - ETPRO TROJAN Possible Dridex downloader SSL Certificate
(trojan.rules)
  2810752 - ETPRO TROJAN Tempedreve Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2007950 - ET TROJAN Possible Infection Report Mail - Indy Mail lib
and Nome do Computador in Body (trojan.rules)
  2018497 - ET CURRENT_EVENTS Angler EK SilverLight Payload Request -
May 2014 (current_events.rules)
  2020300 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23
2015 (current_events.rules)
  2808570 - ETPRO TROJAN Win32.Sisron.B Checkin 2 (trojan.rules)
  2810699 - ETPRO TROJAN Sality Variant UDP CnC Beacon Response (trojan.rules)

 [---]         Removed rules:         [---]

  2810163 - ETPRO TROJAN Win32.Cozer Cert (trojan.rules)
Jake Warren | 22 Apr 23:17 2015

More Redirect to SMB sigs

Hello,

Here's a couple of additional rules for the Redirect to SMB vulnerability. The 307 code was discovered by Trend Micro and I discovered the 303 code during my research (appears to only affect Internet Explorer though).

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; content:"307"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/; classtype:attempted-user; sid:xxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Possible Redirect to SMB exploit attempt - 303"; flow:from_server,established; content:"303"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:xxxx; rev:1;)

Regards,
Jake Warren
<div><div dir="ltr">
<div>Hello,<br><br>
</div>Here's a couple of additional rules for the Redirect to SMB vulnerability. The 307 code was discovered by Trend Micro and I discovered the 303 code during my research (appears to only affect Internet Explorer though).<br><div><div>
<div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">
<div>
<br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; content:"307"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,<a href="http://blog.cylance.com/redirect-to-smb">blog.cylance.com/redirect-to-smb</a>; reference:url,<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/">blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/</a>; classtype:attempted-user; sid:xxxx; rev:1;)<br><br>
</div>
<div>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"Possible Redirect to SMB exploit attempt - 303"; flow:from_server,established; content:"303"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,<a href="http://blog.cylance.com/redirect-to-smb">blog.cylance.com/redirect-to-smb</a>; classtype:attempted-user; sid:xxxx; rev:1;)<br><br>
</div>
<div>Regards,<br>
</div>
<div>Jake Warren<br>
</div>
</div></div></div></div></div>
</div></div>
</div></div>
Francis Trudeau | 22 Apr 01:46 2015
Picon

Daily Ruleset Update Summary 2015/04/21

 [***] Summary: [***]

 3 new Open signatures, 21 new Pro (18 + 3).  VBS.BackDoor.DuCk.1,
BAT/Autorun.FN, CryptoLocker.

 [+++]          Added rules:          [+++]

 Open:

  2020955 - ET TROJAN Windows nbtstat -n Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2020958 - ET TROJAN CryptoLocker .onion Proxy Domain
(zoqowm4kzz4cvvvl) (trojan.rules)
  2020959 - ET TROJAN CryptoWall .onion Proxy Domain
(7oqnsnzwwnm6zb7y) (trojan.rules)

 Pro:

  2810715 - ETPRO TROJAN VBS.BackDoor.DuCk.1 Checkin 1 (trojan.rules)
  2810716 - ETPRO TROJAN VBS.BackDoor.DuCk.1 Screenshot Upload (trojan.rules)
  2810717 - ETPRO TROJAN VBS.BackDoor.DuCk.1 Command Output Upload
(trojan.rules)
  2810718 - ETPRO MALWARE Win32/BTmagnat.A CnC Beacon (malware.rules)
  2810719 - ETPRO MALWARE Win32/FlyStudio CnC Beacon 2 (malware.rules)
  2810720 - ETPRO TROJAN BAT/Autorun.FN Variant Dropping Files (trojan.rules)
  2810721 - ETPRO WEB_SPECIFIC_APPS WP DukaPress Dir Traversal Attempt
(web_specific_apps.rules)
  2810722 - ETPRO WEB_SPECIFIC_APPS WP Mobile Edition Dir Traversal
Attempt (web_specific_apps.rules)
  2810723 - ETPRO TROJAN PoisonIvy Keepalive to CnC 140 (trojan.rules)
  2810724 - ETPRO TROJAN PoisonIvy Keepalive to CnC 141 (trojan.rules)
  2810725 - ETPRO TROJAN PoisonIvy Keepalive to CnC 142 (trojan.rules)
  2810726 - ETPRO WEB_SPECIFIC_APPS WP Business Intelligence Lite
1.6.1 SQLi Attempt (web_specific_apps.rules)
  2810727 - ETPRO WEB_SPECIFIC_APPS WorkTheFlow Plugin Arbitrary PHP
File Upload (web_specific_apps.rules)
  2810728 - ETPRO MOBILE_MALWARE Android/SMSreg.AV Checkin 2
(mobile_malware.rules)
  2810729 - ETPRO TROJAN Trojan-Downloader.Banload Connectivity Check
Form1 (trojan.rules)
  2810730 - ETPRO TROJAN Trojan-Downloader.Banload Connectivity Check
(trojan.rules)
  2810731 - ETPRO MOBILE_MALWARE Android/Igexin.A Checkin (mobile_malware.rules)
  2810732 - ETPRO WEB_SPECIFIC_APPS WP N-Media Plugin Arbitrary PHP
File Upload (web_specific_apps.rules)

 [///]     Modified active rules:     [///]

  2806447 - ETPRO TROJAN Win32/Autoit.IT Checkin 1 (trojan.rules)
  2806448 - ETPRO TROJAN Win32/Autoit.IT Checkin 2 (trojan.rules)
Duane Howard | 20 Apr 20:08 2015
Picon

add nocase to content negations?

I've seen a couple of instances of browsers using lower-case for all headers, and thus tripping this alert. Can we make the content negations nocase? Is it worth considering doing this for *all* header content negations?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible HTTP GET Deep Panda C2 Activity"; flow:established,to_server; content:"GET"; http_method; content:".jpg?id="; http_uri; fast_pattern:only; content:!"Accept"; nocase; http_header; content:!"Referer|3a|"; nocase; http_header; pcre:"/\.jpg\?id=\d+$/U"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020379; rev:2;)

Cheers,
./d
<div><div dir="ltr">
<span>I've seen a couple of instances of browsers using lower-case for all headers, and thus tripping this alert. Can we make the content negations nocase? Is it worth considering doing this for *all* header content negations?</span><br><div><span><br></span></div>
<div>
<span>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible HTTP GET Deep Panda C2 Activity"; flow:established,to_server; content:"GET"; http_method; content:".jpg?id="; http_uri; fast_pattern:only; content:!"Accept";</span><span> nocase; </span><span>http_header; content:!"Referer|3a|";&nbsp;</span>nocase; <span>http_header; pcre:"/\.jpg\?id=\d+$/U"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020379; rev:2;)</span>
</div>
<div><span><br></span></div>
<div><span>Cheers,</span></div>
<div><span>./d</span></div>
</div></div>

Gmane