Will Metcalf | 30 Jul 17:02 2014

Does anybody know what this is?

Does anybody know of a protocol/application legit or otherwise that starts with "socks5init:" in the first 11 bytes of the packet talking to server generally in lower 8k port range. I've seen some malware exhibit this behavior but when I went to test this sig in the world I got a lot of hits. This could be a completely legit proto but is new to me. I have hits all over the globe. Any ideas?

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET Unknown Socks5 Connection not socks5"; flow:to_server,established; content:"socks5init|3a|"; depth:11; sid:123131; rev:1; classtype:bad-unknown; reference:md5,2a0e042fdb2d85c2abf8bd35499ee1aa; reference:md5,c4d3db0eadc650372225d0093cd442ba; reference:md5,4c1f7c4f6d00869a6fca9fdcbadc9633; threshold: type limit, track by_src, count 1, seconds 120;)

Regards,

Will
<div><div dir="ltr">
<div>Does anybody know of a protocol/application legit or otherwise that starts with "socks5init:" in the first 11 bytes of the packet talking to server generally in lower 8k port range. I've seen some malware exhibit this behavior but when I went to test this sig in the world I got a lot of hits. This could be a completely legit proto but is new to me. I have hits all over the globe. Any ideas?<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET Unknown Socks5 Connection not socks5"; flow:to_server,established; content:"socks5init|3a|"; depth:11; sid:123131; rev:1; classtype:bad-unknown; reference:md5,2a0e042fdb2d85c2abf8bd35499ee1aa; reference:md5,c4d3db0eadc650372225d0093cd442ba; reference:md5,4c1f7c4f6d00869a6fca9fdcbadc9633; threshold: type limit, track by_src, count 1, seconds 120;)<br><br>
</div>Regards,<br><br>Will<br>
</div></div>
Leonard Jacobs | 30 Jul 04:58 2014

sid:2101616 not dropping in Suricata

I have SID 2101616 set to Drop in Suricata but it will not drop. What could be causing this?

 

Thanks.

 

Leonard

 

 

 

<div><div class="WordSection1">
<p class="MsoNormal">I have SID 2101616 set to Drop in Suricata but it will not drop. What could be causing this?<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">Thanks.<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><span>Leonard <p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
</div></div>
Francis Trudeau | 30 Jul 03:11 2014
Picon

Daily Ruleset Update Summary 07/29/2014

 [***] Summary: [***]

 7 new Pro signatures, 18 new Pro (7+11).  Upatre, Various AndroidOS,
Password Stealer.

 Thanks:  Kevin Ross.

 [+++]          Added rules:          [+++]

 Open:

  2018800 - ET SCAN Chroot-apache0day Unknown Web Scanner User Agent
(scan.rules)
  2018801 - ET CURRENT_EVENTS Possible Upatre SSL Cert disenart.info
(current_events.rules)
  2018802 - ET CURRENT_EVENTS Possible Upatre SSL Cert host-galaxy.com
(current_events.rules)
  2018803 - ET CURRENT_EVENTS Possible Upatre SSL Cert
fxbingpanel.fareexchange.co.uk (current_events.rules)
  2018804 - ET CURRENT_EVENTS Possible Upatre SSL Cert
66h.66hosting.net (current_events.rules)
  2018805 - ET CURRENT_EVENTS Possible Upatre SSL Cert
businesswebstudios.com (current_events.rules)
  2018806 - ET CURRENT_EVENTS Possible Upatre SSL Cert
udderperfection.com (current_events.rules)

 Pro:

  2808461 - ETPRO MALWARE Win32/BrowseFox.H Checkin 2 (malware.rules)
  2808462 - ETPRO MOBILE_MALWARE AndroidOS/GinMaster.AR Checkin
(mobile_malware.rules)
  2808463 - ETPRO TROJAN Win32/Viknok.D Checkin 1 (trojan.rules)
  2808464 - ETPRO TROJAN Win32/Viknok.D Checkin 2 (trojan.rules)
  2808465 - ETPRO TROJAN Password Stealer MSIL/VOJIN.A Sending Stolen
Info (trojan.rules)
  2808466 - ETPRO MOBILE_MALWARE AndroidOS/FakePlayer.A Checkin
(mobile_malware.rules)
  2808467 - ETPRO MOBILE_MALWARE Android/SMForw.BV Checkin
(mobile_malware.rules)
  2808468 - ETPRO TROJAN Worm MSIL/Vonriamt.A Checkin 1 (trojan.rules)
  2808469 - ETPRO TROJAN Worm MSIL/Vonriamt.A Checkin 2 (trojan.rules)
  2808470 - ETPRO TROJAN Password Stealer MSIL/Vonriamt.A Checkin 3
(trojan.rules)
  2808471 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.a
Checkin 3 (mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2018785 - ET CURRENT_EVENTS Possible ShellCode Passed as Argument to
FlashVars (current_events.rules)
  2807692 - ETPRO TROJAN Trojan.Banker.ACF Checkin (trojan.rules)
Hendrik Adrian | 29 Jul 17:16 2014

(no subject)

Hello Will, Matt,
Cc: all

A sophisticated made DDoS elf botnet tool detected, suggesting bruters component.

There is nothing much of the callback pcap except the PUSH ACK packet contains CNC communication, no headers. The investigation is on going.

Please see the attached image file, with kindly advice if there's anything can be done in ET for blocking this communication, if there is not applied yet.
But I think generic alert is being generated for this communication already, yes? 

I was stripping pcap but the are too many privacy attached..I still don't think I can share it..very sorry,

Sincerely

Rick
MalwareMustDie.org
<div>
<div>Hello Will, Matt,</div>
<div>Cc: all</div>
<div><br></div>A sophisticated made&nbsp;DDoS elf&nbsp;botnet&nbsp;tool detected, suggesting bruters component.<div>Verdict is in Virus Total comment I wrote: &nbsp;<a href="https://www.virustotal.com/en/file/92c87b7bddb66de8a5a27d944b5d4b46c59b38047b8a5fc381118c615c3775f9/analysis/">https://www.virustotal.com/en/file/92c87b7bddb66de8a5a27d944b5d4b46c59b38047b8a5fc381118c615c3775f9/analysis/</a>
</div>
<div><br></div>
<div>There is nothing much of the callback&nbsp;pcap except the PUSH ACK packet contains CNC&nbsp;communication, no headers. The investigation is on going.</div>
<div><br></div>
<div>Please see the attached image file, with&nbsp;kindly advice if there's anything can be done in ET for blocking this communication, if there is not applied yet.</div>
<div>But&nbsp;I think generic alert is being&nbsp;generated for this communication already, yes?&nbsp;</div>
<div><br></div>
<div>I was&nbsp;stripping pcap but&nbsp;the are&nbsp;too many privacy attached..I still don't think I can share it..very sorry,</div>
<div><br></div>
<div>Sincerely</div>
<div><br></div>
<div>Rick</div>MalwareMustDie.org
</div>
Kevin Ross | 29 Jul 11:34 2014

SIG: ET SCAN Chroot-apache0day Unknown Web Scanner User Agent

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCAN Chroot-apache0day Unknown Web Scanner User Agent"; flow:established,to_server; content:"User-agent|3A| chroot-apach0day"; http_header; fast_pattern:12,16; classtype:attempted-recon; reference:url,isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day+/18453; sid:1239991; rev:1;)

Kind Regards,
Kevin Ross
<div><div dir="ltr">alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET SCAN 
Chroot-apache0day Unknown Web Scanner User Agent"; 
flow:established,to_server; content:"User-agent|3A| chroot-apach0day"; 
http_header; fast_pattern:12,16; classtype:attempted-recon; 
reference:url,<a href="http://isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day+/18453">isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day+/18453</a>;
 sid:1239991; rev:1;)<br><br>Kind Regards,<br>Kevin Ross</div></div>
Francis Trudeau | 29 Jul 00:12 2014
Picon

Daily Ruleset Update Summary 07/28/2014

 [***] Summary: [***]

 12 new Open signatures, 26 new Pro (12+14).  FlashPack EK, Omeka 2.2
CSRF, Upatre, Various Android.

 Thanks:   <at> EKWatcher, vlintelligence,  <at> abuse_ch

 [+++]          Added rules:          [+++]

 Open:

  2018788 - ET TROJAN Possible CryptoWall encrypted download (trojan.rules)
  2018789 - ET POLICY TLS possible TOR SSL traffic (policy.rules)
  2018790 - ET CURRENT_EVENTS Possible Upatre SSL Cert
server.abaphome.net (current_events.rules)
  2018791 - ET CURRENT_EVENTS Possible Upatre SSL Cert 1stopmall.us
(current_events.rules)
  2018792 - ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin
(mobile_malware.rules)
  2018793 - ET TROJAN EUPUDS.A Requests for Boleto replacement  (trojan.rules)
  2018794 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary
Landing June 28 2014 (current_events.rules)
  2018795 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect IE
Exploit (current_events.rules)
  2018796 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect
Java Exploit (current_events.rules)
  2018797 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect
Flash Exploit (current_events.rules)
  2018798 - ET TROJAN Infostealer.KLPROXY Checkin via SMTP (trojan.rules)
  2018799 - ET TROJAN Win32/Gatak Activity (trojan.rules)

 Pro:

  2808447 - ETPRO MOBILE_MALWARE Android/SMSreg.CL Checkin
(mobile_malware.rules)
  2808448 - ETPRO TROJAN Carberp/Rovnix Proxy Connection (trojan.rules)
  2808449 - ETPRO TROJAN Win32/Lmir.BMR Checkin (trojan.rules)
  2808450 - ETPRO TROJAN REVETON CnC SET (trojan.rules)
  2808451 - ETPRO TROJAN REVETON CnC OUTBOUND (trojan.rules)
  2808452 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Faketoken.a
Checkin 2 (mobile_malware.rules)
  2808453 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a
Checkin 6 (mobile_malware.rules)
  2808454 - ETPRO MOBILE_MALWARE Android/SMForw.CB Checkin
(mobile_malware.rules)
  2808455 - ETPRO MALWARE PUP Win32/Toolbar.Conduit Checkin 2 (malware.rules)
  2808456 - ETPRO MOBILE_MALWARE Android/Spy.GoldDream.C Checkin
(mobile_malware.rules)
  2808457 - ETPRO EXPLOIT Kolibri WebServer 2.0 Get Request SEH
Exploit (exploit.rules)
  2808458 - ETPRO EXPLOIT Omeka 2.2 CSRF Add Super User (exploit.rules)
  2808459 - ETPRO EXPLOIT Omeka 2.2 CSRF Add Persistent XSS (exploit.rules)
  2808460 - ETPRO EXPLOIT Omeka 2.2 CSRF Disable Fie Validation (exploit.rules)

 [///]     Modified active rules:     [///]

  2002400 - ET USER_AGENTS Suspicious User Agent (Microsoft Internet
Explorer) (user_agents.rules)
  2013508 - ET TROJAN Downloader User-Agent HTTPGET (trojan.rules)
  2018745 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2807276 - ETPRO MALWARE Adware/GetFaster Checkin (malware.rules)

 [---]         Removed rules:         [---]

  2808428 - ETPRO TROJAN Win32/Rhubot.A Checkin (trojan.rules)
Darren Spruell | 26 Jul 08:21 2014
Picon

PF block rules and stateful filtering

Apologies if already raised or if I'm found to be a lunatic afterward
(emailing late on a Friday never recommended).

http://rules.emergingthreats.net/fwrules/emerging-PF-CC.rules

block in log (all) quick on $ext_if from <ET> to any

This is the rule used in all emerging-PF-*.rules files.

As written, the PF rule will block inbound connections from Internet C&C
servers into your environment. Since PF rules are implicitly stateful,
this would not apply to connections established out _to_ C&C servers
which limits its usefulness. :)

http://rules.emergingthreats.net/fwrules/emerging-PF-DROP.rules

Same story, although denying inbound connections from DROP hosts is
valuable. Probably still want to drop connections to them as well.

Also, the addresses on this one look to be missing the CIDR mask (IPs
all ending in .0).

http://rules.emergingthreats.net/fwrules/emerging-PF-DSHIELD.rules

The addresses on this one look to be missing the CIDR mask too.

I propose a small modification to the rule in each file to the following
pair:

block log quick from <ET> to any
block log quick from any to <ET>

Removes the dependency on the definition of the interface macro, and the
explicit direction on the interface, making it so it will drop traffic
going any direction on any interface. The 'from' and 'to' are still
required though so that imposes some directionality and requires two
rules for blocking out to or in from listed hosts.

The above can also be written more succinctly but with somewhat less
clarity:

block log quick from <ET>
block log quick to <ET>

In either case the rules parse in modern versions of PF and expand as
follows when loaded:

 <at> 0 block drop log (all) quick from <ET:0> to any
 <at> 1 block drop log (all) quick from any to <ET:0>

They should probably be tested on less modern version of PF (FreeBSD and
OS X both run significantly behind OpenBSD's PF) if desired.

--

-- 
Darren Spruell
dspruell@...
Francis Trudeau | 25 Jul 23:34 2014
Picon

Daily Ruleset Update Summary 07/25/2014

 [***] Summary: [***]

 13 new Open signatures, 28 new Pro (13+15).  Upatre, Various Android,
SmSPay.C, Sweet Orange EK.

 Thanks:  Jake Warren, Nathan Fowler, Kevin Ross,  <at> EKWatcher,  <at> jaimeblascob.

 [+++]          Added rules:          [+++]

 Open:

  2018775 - ET TROJAN Backdoor.Win32.Androm.dtrv CnC Server Fake
Server Header (trojan.rules)
  2018776 - ET CURRENT_EVENTS Possible Upatre SSL Cert
thelabelnashville.com (current_events.rules)
  2018777 - ET CURRENT_EVENTS Possible Upatre SSL Cert
cactussports.com (current_events.rules)
  2018778 - ET CURRENT_EVENTS Possible Upatre SSL Cert
yellowdevilgear.com (current_events.rules)
  2018779 - ET CURRENT_EVENTS Possible Upatre SSL Cert
michaelswinecellar.com (current_events.rules)
  2018780 - ET CURRENT_EVENTS Possible Upatre SSL Cert migsparkle.com
(current_events.rules)
  2018781 - ET MOBILE_MALWARE AndroidOS.Simplocker Checkin
(mobile_malware.rules)
  2018782 - ET SCAN Internet Scanning Project HTTP scan (scan.rules)
  2018783 - ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local
File (current_events.rules)
  2018784 - ET TROJAN Win32/Neurevt Check-in 4 (trojan.rules)
  2018785 - ET CURRENT_EVENTS Possible ShellCode Passed as Argument to
FlashVars (current_events.rules)
  2018786 - ET CURRENT_EVENTS Sweet Orange EK CDN Landing Page
(current_events.rules)
  2018787 - ET TROJAN Unknown Locker DL URI Struct Jul 25 2014 (trojan.rules)

 Pro:

  2808431 - ETPRO TROJAN Backdoor.Ratenjay!gen2 Checkin (trojan.rules)
  2808432 - ETPRO TROJAN Backdoor.Korplug!gen6 Checkin (HTTP) (trojan.rules)
  2808433 - ETPRO TROJAN Backdoor.Korplug!gen6 Checkin (UDP) (trojan.rules)
  2808434 - ETPRO MALWARE Win32/SoftPulse.H Checkin (malware.rules)
  2808435 - ETPRO MALWARE PUP Win32/WinloadSDA.D Checkin (malware.rules)
  2808436 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Agent.aj Checkin
(mobile_malware.rules)
  2808438 - ETPRO MOBILE_MALWARE Trojan.Android.TrojanSMS.bABM Checkin
(mobile_malware.rules)
  2808439 - ETPRO TROJAN Trojan-Clicker.Win32.Agent.adoa Checkin (trojan.rules)
  2808440 - ETPRO MALWARE AdWare.Filcout Install (malware.rules)
  2808441 - ETPRO MOBILE_MALWARE Android-Spyware/SpyApp Checkin
(mobile_malware.rules)
  2808442 - ETPRO MALWARE PUP Win32/Toolbar.Conduit Checkin (malware.rules)
  2808443 - ETPRO MALWARE Win32/Conduit.SearchProtect.N Installation
Callback (malware.rules)
  2808444 - ETPRO TROJAN Trojan.Win32.Stantinko.bF Checkin (trojan.rules)
  2808445 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.C Checkin 3
(mobile_malware.rules)
  2808446 - ETPRO TROJAN Win32.Rbrute.a Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2018078 - ET TROJAN W32/Kbot.Backdoor Variant CnC Beacon (trojan.rules)
  2808213 - ETPRO CURRENT_EVENTS Safe/Critx/FlashPack URI Struct June
19, 2014 2 (current_events.rules)
Nathan Fowler | 25 Jul 20:01 2014
Picon

Proposed Signature for Internet Scanning Project HTTP Activity


[20/Jul/2014:12:10:22 -0500]	192.81.131.15	GET / HTTP/1.0
research-scanner/1.0.(www.internetscanningproject.org)
[20/Jul/2014:16:37:00 -0500]	173.255.223.118	GET / HTTP/1.0
research-scanner/1.0.(www.internetscanningproject.org)
[21/Jul/2014:06:32:53 -0500]	74.207.252.212	GET / HTTP/1.0
research-scanner/1.0.(www.internetscanningproject.org)
[21/Jul/2014:08:15:20 -0500]	173.255.223.118	GET / HTTP/1.0
research-scanner/1.0.(www.internetscanningproject.org)
[23/Jul/2014:22:30:00 -0500]	192.81.131.15	GET / HTTP/1.0
research-scanner/1.0.(www.internetscanningproject.org)
[24/Jul/2014:00:05:23 -0500]	74.207.252.212	GET / HTTP/1.0
research-scanner/1.0.(www.internetscanningproject.org)
[24/Jul/2014:05:04:45 -0500]	192.81.131.15	GET / HTTP/1.0
research-scanner/1.0.(www.internetscanningproject.org)
[24/Jul/2014:13:51:21 -0500]	74.207.252.212	GET / HTTP/1.0
research-scanner/1.0.(www.internetscanningproject.org)
[24/Jul/2014:19:04:19 -0500]	173.230.156.31	GET / HTTP/1.0
research-scanner/1.0.(www.internetscanningproject.org)

Proposed ET Sig:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"ET CURRENT_EVENTS Internet Scanning Project HTTP scan";
flow:established,to_server;
content:"User-Agent|3a 20|research-scanner/"; http_header;
fast_pattern:only; content:"internetscanningproject.org"; http_header;
reference:url,www.internetscanningproject.org;
classtype:attempted-recon;
sid:x; rev:1;)

PCAP Snippets:

19:04:19.475698 IP 173.230.156.31.14046 > 192.168.1.1.80: P 1:100(99)
ack 1
win 600
0x0000:  4500 008b 13fd 0000 f306 a7c0 ade6 9c1f  E...............
0x0010:  c0a8 0101 36de 0050 2e8e 4668 eb6f cc2c  ....6..P..Fh.o.,
0x0020:  5018 0258 3c4b 0000 4745 5420 2f20 4854  P..X<K..GET./.HT
0x0030:  5450 2f31 2e30 0d0a 5573 6572 2d41 6765  TP/1.0..User-Age
0x0040:  6e74 3a20 7265 7365 6172 6368 2d73 6361  nt:.research-sca
0x0050:  6e6e 6572 2f31 2e30 2028 7777 772e 696e  nner/1.0.(www.in
0x0060:  7465 726e 6574 7363 616e 6e69 6e67 7072  ternetscanningpr
0x0070:  6f6a 6563 742e 6f72 6729 0d0a 4163 6365  oject.org)..Acce
0x0080:  7074 3a20 2a2f 2a0d 0a0d 0a              pt:.*/*....

13:51:21.855029 IP 74.207.252.212.14046 > 192.168.1.1.80: P 1:100(99)
ack 1
win 600
0x0000:  4500 008b 2268 0000 f306 9bb7 4acf fcd4  E..."h......J...
0x0010:  c0a8 0101 36de 0050 8ca2 77fd a195 fcf3  ....6..P..w.....
0x0020:  5018 0258 c816 0000 4745 5420 2f20 4854  P..X....GET./.HT
0x0030:  5450 2f31 2e30 0d0a 5573 6572 2d41 6765  TP/1.0..User-Age
0x0040:  6e74 3a20 7265 7365 6172 6368 2d73 6361  nt:.research-sca
0x0050:  6e6e 6572 2f31 2e30 2028 7777 772e 696e  nner/1.0.(www.in
0x0060:  7465 726e 6574 7363 616e 6e69 6e67 7072  ternetscanningpr
0x0070:  6f6a 6563 742e 6f72 6729 0d0a 4163 6365  oject.org)..Acce
0x0080:  7074 3a20 2a2f 2a0d 0a0d 0a              pt:.*/*....

Cheers,
Jake Warren | 25 Jul 14:34 2014

Sigs for Sweet Orange EK

While looking at hits I had on 2018737 I noticed the server was setting a cookie with a specific structure. I don't have much of a sample set to work with but these signatures might be good for research purposes.

tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Sweet Orange EK cookie"; flow:established,from_server; content:"mbzyn="; http_cookie; pcre:"/mbzyn=[a-zA-Z0-9\.]{19}__[0-9a-zA-Z\.]{21}--;$/C";  classtype:trojan-activity; sid:xxxx; rev:1;)

Derived the following signatures from www.malware-traffic-analysis.net/2014/07/24/index.html & www.malware-traffic-analysis.net/2014/07/08/index.html

tcp $HOME_NET any -> $EXTERNAL_NET 16122 (msg:"Sweet Orange EK CDN Landing Page"; flow:established,to_server; content:"GET "; depth:4; content:"stargalaxy.php?nebula=3"; reference:url,http://www.malware-traffic-analysis.net/2014/07/24/index.html; classtype:trojan-activity; sid:xxxx; rev:1;)

tcp $HOME_NET any -> $EXTERNAL_NET 16122 (msg:"Sweet Orange EK Flash payload request"; flow:established,to_server; content:"GET "; depth:4; content:"hxwXHAp"; content:"Referer:"; content:"stargalaxy.php?nebula=3";  classtype:trojan-activity; reference:cve,2014-0515; reference:url,http://www.malware-traffic-analysis.net/2014/07/24/index.html; sid:xxxx; rev:1;)

tcp $HOME_NET any -> $EXTERNAL_NET 16122 (msg:"Sweet Orange executable request"; flow:established,to_server; content:"GET /cars.php?"; depth:14; content:"Host|3a|"; content:!"Referer|3a|"; content:!"User-Agent|3a|"; classtype:trojan-activity; reference:url,http://www.malware-traffic-analysis.net/2014/07/24/index.html; sid:xxxx; rev:1;)

Jake Warren
Level 2 Sr. Network Security Analyst
www.masergy.com

<div>
    While looking at hits I had on 2018737 I noticed the server was
    setting a cookie with a specific structure. I don't have much of a
    sample set to work with but these signatures might be good for
    research purposes.<br><br>
    tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"Sweet Orange
    EK cookie"; flow:established,from_server; content:"mbzyn=";
    http_cookie;
    pcre:"/mbzyn=[a-zA-Z0-9\.]{19}__[0-9a-zA-Z\.]{21}--;$/C";&nbsp;
    classtype:trojan-activity; sid:xxxx; rev:1;)<br><br>
    Derived the following signatures from
    <a class="moz-txt-link-abbreviated" href="http://www.malware-traffic-analysis.net/2014/07/24/index.html">www.malware-traffic-analysis.net/2014/07/24/index.html</a> &amp;
    <a class="moz-txt-link-abbreviated" href="http://www.malware-traffic-analysis.net/2014/07/08/index.html">www.malware-traffic-analysis.net/2014/07/08/index.html</a><br><br>
    tcp $HOME_NET any -&gt; $EXTERNAL_NET 16122 (msg:"Sweet Orange EK
    CDN Landing Page"; flow:established,to_server; content:"GET ";
    depth:4; content:"stargalaxy.php?nebula=3";
    reference:url,<a class="moz-txt-link-freetext" href="http://www.malware-traffic-analysis.net/2014/07/24/index.html">http://www.malware-traffic-analysis.net/2014/07/24/index.html</a>;
    classtype:trojan-activity; sid:xxxx; rev:1;)<br><br>
    tcp $HOME_NET any -&gt; $EXTERNAL_NET 16122 (msg:"Sweet Orange EK
    Flash payload request"; flow:established,to_server; content:"GET ";
    depth:4; content:"hxwXHAp"; content:"Referer:";
    content:"stargalaxy.php?nebula=3";&nbsp; classtype:trojan-activity;
    reference:cve,2014-0515;
    reference:url,<a class="moz-txt-link-freetext" href="http://www.malware-traffic-analysis.net/2014/07/24/index.html">http://www.malware-traffic-analysis.net/2014/07/24/index.html</a>;
    sid:xxxx; rev:1;)<br><br>
    tcp $HOME_NET any -&gt; $EXTERNAL_NET 16122 (msg:"Sweet Orange
    executable request"; flow:established,to_server; content:"GET
    /cars.php?"; depth:14; content:"Host|3a|"; content:!"Referer|3a|";
    content:!"User-Agent|3a|"; classtype:trojan-activity;
    reference:url,<a class="moz-txt-link-freetext" href="http://www.malware-traffic-analysis.net/2014/07/24/index.html">http://www.malware-traffic-analysis.net/2014/07/24/index.html</a>;
    sid:xxxx; rev:1;)<br><div class="moz-signature">
      <p>Jake Warren <br> <span>Level 2 Sr. Network
                  Security Analyst</span><br><a href="http://www.masergy.com/">www.masergy.com</a></p>
    </div>
  </div>
Kevin Ross | 25 Jul 10:36 2014

SIG: ET TROJAN W32/Dyranges.Infostealer

A binary I found coming in which I analyzed (fortunately AV got it although this means traffic is from analysis rather than live network infection). I have attached screenshots of the download & the beaconing.

alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Dyranges.Infostealer CnC Beacon"; flow:established,to_server; pcre:"/\x2F\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2F$/U"; content:"User-Agent|3A| Opera/9.80|0D 0A|"; http_header; fast_pattern:12,12; pcre:"/^Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{2,5}/H"; classtype:trojan-activity; reference:md5,7e3e28320d209a586917668e3b8eac40; sid:1239991; rev:1;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Dyranges.Infostealer CnC Server Fake Server Header"; flow:established,to_client; content:"Server|3A| Stalin"; http_header; fast_pattern:only; classtype:trojan-activity; reference:md5,7e3e28320d209a586917668e3b8eac40; sid:1239992; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>A binary I found coming in which I analyzed (fortunately AV got it although this means traffic is from analysis rather than live network infection). I have attached screenshots of the download &amp; the beaconing.<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
 W32/Dyranges.Infostealer CnC Beacon"; flow:established,to_server; 
pcre:"/\x2F\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2F$/U"; 
content:"User-Agent|3A| Opera/9.80|0D 0A|"; http_header; 
fast_pattern:12,12; 
pcre:"/^Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{2,5}/H";
 classtype:trojan-activity; 
reference:md5,7e3e28320d209a586917668e3b8eac40; sid:1239991; rev:1;)</div>
<br><div>alert
 http $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET TROJAN 
W32/Dyranges.Infostealer CnC Server Fake Server Header"; 
flow:established,to_client; content:"Server|3A| Stalin"; http_header; 
fast_pattern:only; classtype:trojan-activity; 
reference:md5,7e3e28320d209a586917668e3b8eac40; sid:1239992; rev:1;)<br><br><br>Kind Regards,<br>Kevin Ross<br>
</div>
</div></div>

Gmane