Will Metcalf | 22 Jul 00:51 2014

Daily Ruleset Update Summary 07/21/2014

[***]         Summary:          [***]

8 new Open rules. 21 new Pro rules (8/13) Win32.Androm, SSL Blacklist, Optimizer Pro, etc.
Thanks <at> ryancmoon, <at> abuse_ch, <at> malwaresigs.
 
[+++]          Added rules:          [+++]

  Open;
  2018742 - ET MALWARE OptimizerPro Checkin (malware.rules)
  2018743 - ET MALWARE PUP Optimizer Pro Adware Download (malware.rules)
  2018744 - ET MALWARE PUP Optimizer Pro Adware GET or POST to C2 (malware.rules)
  2018745 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
  2018746 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
  2018747 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
  2018748 - ET TROJAN PE downloaded malicious SSL certificate (CZ Solutions) (trojan.rules)
  2018749 - ET TROJAN Backdoor.Win32.Androm.dtrv Checkin 3 (trojan.rules)

  Pro:
  2808396 - ETPRO TROJAN Cryptowall Downloading Executable (trojan.rules)
  2808397 - ETPRO TROJAN Cryptowall/Androm Connectivity Check (trojan.rules)
  2808398 - ETPRO TROJAN W32/Agent.QDS!tr sending info (AMD) (trojan.rules)
  2808399 - ETPRO TROJAN W32/Agent.QDS!tr sending info (Intel) (trojan.rules)
  2808400 - ETPRO TROJAN TrojanDownloader.Win32/Yesudac.A Download exe (trojan.rules)
  2808402 - ETPRO TROJAN Win32/PowerLoad.B Checkin (trojan.rules)
  2808403 - ETPRO TROJAN Win32/PowerLoader.B Checkin response (trojan.rules)
  2808404 - ETPRO TROJAN Trojan.Win32.Banload.crnfky Checkin (trojan.rules)
  2808405 - ETPRO TROJAN Trojan.Win32.Invader Checkin (trojan.rules)
  2808406 - ETPRO TROJAN Backdoor.MSIL/Sisbot.C IRC Checkin (trojan.rules)
  2808407 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BX Checkin 2 (mobile_malware.rules)
  2808408 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BX Checkin 3 (mobile_malware.rules)
  2808409 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.D Checkin (mobile_malware.rules)
<div><div dir="ltr">
<div>[***] &nbsp; &nbsp; &nbsp; &nbsp; Summary: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[***]<br>
</div>
<div><br></div>
<div>8 new Open rules. 21 new Pro rules (8/13) Win32.Androm, SSL Blacklist, Optimizer Pro, etc.<br>
</div>
<div>Thanks  <at> ryancmoon,  <at> abuse_ch,  <at> malwaresigs.<a class="" href="https://twitter.com/ryancmoon"><span class=""></span></a>
</div>
<div>&nbsp;<br>[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]<br><br>
</div>
<div>&nbsp; Open;<br>
</div>
<div>
&nbsp; 2018742 - ET MALWARE OptimizerPro Checkin (malware.rules)<br>
&nbsp; 2018743 - ET MALWARE PUP Optimizer Pro Adware Download (malware.rules)<br>
&nbsp; 2018744 - ET MALWARE PUP Optimizer Pro Adware GET or POST to C2 (malware.rules)<br>
&nbsp; 2018745 - ET TROJAN <a href="http://ABUSE.CH" target="_blank">ABUSE.CH</a> SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)<br>
&nbsp; 2018746 - ET TROJAN <a href="http://ABUSE.CH" target="_blank">ABUSE.CH</a> SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)<br>
&nbsp; 2018747 - ET TROJAN <a href="http://ABUSE.CH" target="_blank">ABUSE.CH</a> SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)<br>
&nbsp; 2018748 - ET TROJAN PE downloaded malicious SSL certificate (CZ Solutions) (trojan.rules)<br>

&nbsp; 2018749 - ET TROJAN Backdoor.Win32.Androm.dtrv Checkin 3 (trojan.rules) <br><br>
</div>&nbsp; Pro:<br><div>
&nbsp; 2808396 - ETPRO TROJAN Cryptowall Downloading Executable (trojan.rules)<br>
&nbsp; 2808397 - ETPRO TROJAN Cryptowall/Androm Connectivity Check (trojan.rules)<br>
&nbsp; 2808398 - ETPRO TROJAN W32/Agent.QDS!tr sending info (AMD) (trojan.rules)<br>
&nbsp; 2808399 - ETPRO TROJAN W32/Agent.QDS!tr sending info (Intel) (trojan.rules)<br>
&nbsp; 2808400 - ETPRO TROJAN TrojanDownloader.Win32/Yesudac.A Download exe (trojan.rules)<br><div>
&nbsp; 2808402 - ETPRO TROJAN Win32/PowerLoad.B Checkin (trojan.rules)<br>
&nbsp; 2808403 - ETPRO TROJAN Win32/PowerLoader.B Checkin response (trojan.rules)<br>
&nbsp; 2808404 - ETPRO TROJAN Trojan.Win32.Banload.crnfky Checkin (trojan.rules)<br>
&nbsp; 2808405 - ETPRO TROJAN Trojan.Win32.Invader Checkin (trojan.rules)<br>
&nbsp; 2808406 - ETPRO TROJAN Backdoor.MSIL/Sisbot.C IRC Checkin (trojan.rules)<br>
&nbsp; 2808407 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BX Checkin 2 (mobile_malware.rules)<br>
&nbsp; 2808408 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BX Checkin 3 (mobile_malware.rules)<br>
&nbsp; 2808409 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.D Checkin (mobile_malware.rules)<br>
</div>
</div>
</div></div>
Ryan | 21 Jul 18:53 2014

Optimizer Pro Adware

Salutations all,

Picked up an infection on an asset over the weekend that seems to be
leaking data all over the place that has been identified as Optimizer
Pro. We initially spotted this due to the strange UA on the initial
request ('win32'), but after researching it appears that the UA changes
from sample to sample. The following should help detect this nonsense:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET
CURRENT_EVENTS Optimizer Pro Adware GET or POST C&C 2014-07-21”;
flow:established,to_server; content:”optpro”; http_header;
pcre:'/\/install\/\?q=/U';
reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/;
classtype:trojan-activity; sid:x; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET
CURRENT_EVENTS Optimizer Pro Adware Download 2014-07-21”;
flow:established,to_server; content:”GET”; http_method;
content:”optimizerpro.exe”; http_uri;
reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/;
classtype:trojan-activity; sid:x; rev:1;)

We also blocked using the following:
^http:\/\/[^\x2f]+\.optpro[^\x2f]+\.info\/ Ryan C. Moon, 2014-07-21,
Optimizer Pro Adware C&C Check-in
^http:\/\/[^\x3f]+\/optimizerpro.exe$ Ryan C. Moon, 2014-07-21,
Optimizer Pro Adware Download
207.244.66.33 Ryan C. Moon, 2014-07-21, Optimizer Pro Adware Host

Validation:
SELECT distinct url_host FROM webwasher_full WHERE day>='2014-04-17' and
url_host like '%optpro%.info%'
url_host IN ('optprosurfing.info', 'optproremoval.info',
'optprobrowser.info', 'optpro.info')

SELECT * FROM webwasher_full WHERE day>='2014-04-17' and url like
'%/optimizerpro.exe'
{ 0 results }

Sample URLs available privately (info will be tainted as I am not sure
what data is contained in the GET uri variables yet).

Happy hunting,

-Ryan

Salutations all,

Picked up an infection on an asset over the weekend that seems to be
leaking data all over the place that has been identified as Optimizer
Pro. We initially spotted this due to the strange UA on the initial
request ('win32'), but after researching it appears that the UA changes
from sample to sample. The following should help detect this nonsense:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET
CURRENT_EVENTS Optimizer Pro Adware GET or POST C&C 2014-07-21”;
flow:established,to_server; content:”optpro”; http_header;
pcre:'/\/install\/\?q=/U';
reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/;
classtype:trojan-activity; sid:x; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET
CURRENT_EVENTS Optimizer Pro Adware Download 2014-07-21”;
flow:established,to_server; content:”GET”; http_method;
content:”optimizerpro.exe”; http_uri;
reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/;
classtype:trojan-activity; sid:x; rev:1;)

We also blocked using the following:
^http:\/\/[^\x2f]+\.optpro[^\x2f]+\.info\/ Ryan C. Moon, 2014-07-21,
Optimizer Pro Adware C&C Check-in
^http:\/\/[^\x3f]+\/optimizerpro.exe$ Ryan C. Moon, 2014-07-21,
Optimizer Pro Adware Download
207.244.66.33 Ryan C. Moon, 2014-07-21, Optimizer Pro Adware Host

Validation:
SELECT distinct url_host FROM webwasher_full WHERE day>='2014-04-17' and
url_host like '%optpro%.info%'
url_host IN ('optprosurfing.info', 'optproremoval.info',
'optprobrowser.info', 'optpro.info')

SELECT * FROM webwasher_full WHERE day>='2014-04-17' and url like
'%/optimizerpro.exe'
{ 0 results }

Sample URLs available privately (info will be tainted as I am not sure
what data is contained in the GET uri variables yet).

Happy hunting,

-Ryan

Francis Trudeau | 18 Jul 23:17 2014
Picon

Daily Ruleset Update Summary 07/18/2014 - Part two

 [***] Summary: [***]

 5 new Open signatures, 17 new Pro (5+12).  Sweet Orange,
Kuluoz/Asprox, Various Android.

 Thanks:  Jake Warren, Kevin Ross, Regit, Adnan Shukor, Nathan Fowler,
tdzmont, Ify Ajokubi.

 [+++]          Added rules:          [+++]

 Open:

  2018737 - ET CURRENT_EVENTS Fake CDN Sweet Orange Gate July 17 2014
(current_events.rules)
  2018738 - ET TROJAN Pain File Stealer sending wallet.dat via SMTP
(trojan.rules)
  2018739 - ET TROJAN Kuluoz / Asprox checkin (trojan.rules)
  2018740 - ET WEB_SERVER Adobe Flash Player Rosetta Flash compressed
CWS in URI (web_server.rules)
  2018741 - ET CURRENT_EVENTS Fiesta EK randomized javascript Gate Jul
18 2014 (current_events.rules)

 Pro:

  2808384 - ETPRO MOBILE_MALWARE Android/Simplocker.D Checkin
(mobile_malware.rules)
  2808385 - ETPRO TROJAN Win32.Xema Checkin (trojan.rules)
  2808386 - ETPRO TROJAN Trojan.Win32.Generic.AtsI Checkin (trojan.rules)
  2808387 - ETPRO TROJAN Trojan.Win32.Generic.AtsI Checkin 2 (trojan.rules)
  2808388 - ETPRO TROJAN W32/Expiro.BB checkin (trojan.rules)
  2808389 - ETPRO TROJAN Dtcontx.F Checkin (trojan.rules)
  2808390 - ETPRO MALWARE PUP AdWare.OxyPumper Download (malware.rules)
  2808391 - ETPRO TROJAN Trojan.Injector.AWX checkin (trojan.rules)
  2808392 - ETPRO TROJAN Win32/Kanav.B Checkin (trojan.rules)
  2808393 - ETPRO MOBILE_MALWARE Android/Fakeinst.HX Checkin
(mobile_malware.rules)
  2808394 - ETPRO MOBILE_MALWARE Android.Trojan.Agent.XFG Checkin
(mobile_malware.rules)
  2808395 - ETPRO TROJAN Win32/Rovnix.H checkin (trojan.rules)

 [---]  Disabled and modified rules:  [---]

  2000908 - ET MALWARE WhenUClick.com App and Search Bar Install (1)
(malware.rules)
  2000909 - ET MALWARE WhenUClick.com App and Search Bar Install (2)
(malware.rules)
  2000910 - ET MALWARE WhenUClick.com Clock Sync App Checkin (malware.rules)
  2000911 - ET MALWARE WhenUClick.com Weather App Checkin (malware.rules)
  2000912 - ET MALWARE WhenUClick.com Clock Sync App Checkin (1) (malware.rules)
  2000913 - ET MALWARE WhenUClick.com Clock Sync App Checkin (2) (malware.rules)
  2000914 - ET MALWARE WhenUClick.com Weather App Checkin (1) (malware.rules)
  2000915 - ET MALWARE WhenUClick.com Weather App Checkin (2) (malware.rules)
  2000916 - ET MALWARE WhenUClick.com WhenUSave App Checkin (malware.rules)
  2000917 - ET MALWARE WhenUClick.com WhenUSave Data Retrieval
(offersdata) (malware.rules)
  2000918 - ET MALWARE WhenUClick.com Desktop Bar Install (malware.rules)
  2001443 - ET MALWARE WhenUClick.com Desktop Bar App Checkin (malware.rules)
  2003389 - ET MALWARE WhenUClick.com Application Version Check (malware.rules)
  2003404 - ET MALWARE WhenUClick.com WhenUSave Data Retrieval
(DataChunksGZ) (malware.rules)

 [---]         Disabled rules:        [---]

  2000919 - ET MALWARE WhenUClick.com WhenUSave Data Retrieval
(Searchdb) (malware.rules)
Francis Trudeau | 18 Jul 16:13 2014
Picon

Daily Ruleset Update Summary 07/18/2014

 [***] Summary: [***]

 45 new Open signatures, 47 new Pro (45+2).  ABUSE.SH SSL C2, Upatre,
Predator Pain.

 Today we are publishing the signatures created and shared by
abuse.ch. We have converted the majority of them to Snort, but due to
the inability of Snort to match on the SHA1 fingerprint of a SSL cert,
some of their signatures are being released for Suricata only. Special
thanks to abuse.ch for the work they do and for allowing us to share
these with the community!

 Thanks:  Ify Ajokubi and Waldo Kitty.

 [+++]          Added rules:          [+++]

 Open:

  2018687 - ET TROJAN Win32/Aibatook checkin 2 (trojan.rules)
  2018688 - ET TROJAN Predator Pain Sending Data over SMTP (trojan.rules)
  2018689 - ET SCAN LibSSH2 Based SSH Connection - Often used as a
BruteForce Tool (scan.rules)
  2018690 - ET CURRENT_EVENTS Possible Upatre SSL Cert
karinejoncas.com (current_events.rules)
  2018691 - ET CURRENT_EVENTS Possible Upatre SSL Cert deslematin.ca
(current_events.rules)
  2018692 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018693 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (CryptoWall C2) (trojan.rules)
  2018694 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018695 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018696 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Vawtrak MITM) (trojan.rules)
  2018697 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018698 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018699 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018700 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Malware C2) (trojan.rules)
  2018701 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Vawtrak MITM) (trojan.rules)
  2018702 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Vawtrak MITM) (trojan.rules)
  2018703 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018704 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018705 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018706 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Vawtrak MITM) (trojan.rules)
  2018707 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018708 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018711 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018712 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018714 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018715 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (ZeuS C2) (trojan.rules)
  2018716 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018717 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (CryptoWall C2) (trojan.rules)
  2018718 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018719 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018720 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Shylock C2) (trojan.rules)
  2018721 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Vawtrak MITM) (trojan.rules)
  2018722 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Vawtrak C2) (trojan.rules)
  2018723 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018724 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018725 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018726 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018727 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018728 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Vawtrak MITM) (trojan.rules)
  2018729 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Vawtrak MITM) (trojan.rules)
  2018730 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018731 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Vawtrak MITM) (trojan.rules)
  2018732 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018733 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Vawtrak MITM) (trojan.rules)
  2018734 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Vawtrak MITM) (trojan.rules)
  2018736 - ET CURRENT_EVENTS ABUSE.CH SSL Fingerprint Blacklist
Malicious SSL certificate detected (KINS C2) (current_events.rules)

 Pro:

  2808382 - ETPRO TROJAN C-HSpy checkin via SMTP (trojan.rules)
  2808383 - ETPRO TROJAN Win32/Selfish.E MySQL login attempt
(OUTBOUND) (trojan.rules)

 [///]     Modified active rules:     [///]

  2006435 - ET SCAN LibSSH Based SSH Connection - Often used as a
BruteForce Tool (scan.rules)
  2015560 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (Shylock C2) (trojan.rules)
  2015996 - ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level
Exploit (Stuxnet Technique) (exploit.rules)
  2018017 - ET TROJAN Predator Logger Sending Data over SMTP (trojan.rules)
  2018494 - ET CURRENT_EVENTS ABUSE.CH SSL Fingerprint Blacklist
Malicious SSL certificate detected (KINS C2) (current_events.rules)
  2018600 - ET CURRENT_EVENTS ABUSE.CH SSL Fingerprint Blacklist
Malicious SSL certificate detected (KINS C2) (current_events.rules)
  2018642 - ET TROJAN DNS Reply Sinkhole Microsoft NO-IP Domain (trojan.rules)
  2018683 - ET TROJAN Backdoor.Win32.Androm.dtrv Checkin 2 (trojan.rules)

 [///]    Modified inactive rules:    [///]

  2805942 - ETPRO INFO SSL server Hello certificate Internet Widgits
Pty Ltd State or Province name Some-State (info.rules)

 [---]         Removed rules:         [---]

  2405070 - ET CNC Shadowserver Reported CnC Server Port 38294 Group 1
(botcc.portgrouped.rules)
  2405071 - ET CNC Shadowserver Reported CnC Server Port 54321 Group 1
(botcc.portgrouped.rules)
  2405072 - ET CNC Shadowserver Reported CnC Server Port 58914 Group 1
(botcc.portgrouped.rules)
  2808173 - ETPRO CURRENT_EVENTS Possible Win32/Zbot SSL Cert
(current_events.rules)
adnan.shukor | 17 Jul 17:19 2014
Picon

Kuluoz / asprox

My first rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Kuluoz / Asprox"; content:"GET"; http_method; pcre:"/\/api\/[a-zA-Z0-9\+\/\%]{42,45}\=\/[a-zA-Z\-\_]+$/Us"; classtype:trojan-activity; sid:1000000; rev:1;)
<div>
<div><span>My first rule:</span></div>
<div><span><br></span></div>
<div><span>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"Kuluoz / Asprox"; content:"GET"; http_method; pcre:"/\/api\/[a-zA-Z0-9\+\/\%]{42,45}\=\/[a-zA-Z\-\_]+$/Us"; classtype:trojan-activity; sid:1000000; rev:1;)</span></div>
<div>
<div dir="ltr">
<div><br></div>
<div><br></div>
<div>eg:</div>
<div><br></div>
<div>
<div><a href="http://feierling.de/components/api/Gmefz4eoDVQIeOTx/6kallVldCbwKwT7yOcozbjHPJs=/toll">http://feierling.de/components/api/Gmefz4eoDVQIeOTx/6kallVldCbwKwT7yOcozbjHPJs=/toll</a></div>
<div><a href="http://feierl-herzele.com/components/api/hLgbBVbB/dMwFNVUGFtoQ/WDgpxXqivE8rMSOvn3KCo=/toll">http://feierl-herzele.com/components/api/hLgbBVbB/dMwFNVUGFtoQ/WDgpxXqivE8rMSOvn3KCo=/toll</a></div>
<div><a href="http://elbizz.com/tmp/api/kXdfBCkL/OBfmfuE6Wbuwf7tRtBwxtTkjIxcceP6nIg=/inv">http://elbizz.com/tmp/api/kXdfBCkL/OBfmfuE6Wbuwf7tRtBwxtTkjIxcceP6nIg=/inv</a></div>
<div><a href="http://eosforos.net/tmp/api/AmyZ5OJ/BoIbjGx5NHKBFWbQbA61P5AKBzvFUq2UCjs=/inv">http://eosforos.net/tmp/api/AmyZ5OJ/BoIbjGx5NHKBFWbQbA61P5AKBzvFUq2UCjs=/inv</a></div>
</div>
<div><br></div>
</div>
<br>
</div>
</div>
Jake Warren | 17 Jul 15:52 2014

2018642 - Microsoft No-ip sinkhole

Hi,

Can you confirm that the content for 2018642 is correct? Seems like it should be content:"|00 04 cc 5f 63|" (204.95.99.0/24) instead of content:"|00 04 cf 5f 63|" (207.95.99.0/24).

Kaspersky is saying that the sinkhole is 204.95.99.59: securelist.com/blog/events/64143/microsoft-seizes-22-no-ip-domains-disrupts-cybercriminal-and-nation-state-apt-malware-operations/

Thanks!

Jake Warren
Level 2 Sr. Network Security Analyst
www.masergy.com

<div>
    Hi,<br><br>
    Can you confirm that the content for 2018642 is correct? Seems like
    it should be content:"|00 04 cc 5f 63|" (204.95.99.0/24) instead of
    content:"|00 04 cf 5f 63|" (207.95.99.0/24).<br><br>
    Kaspersky is saying that the sinkhole is 204.95.99.59:
securelist.com/blog/events/64143/microsoft-seizes-22-no-ip-domains-disrupts-cybercriminal-and-nation-state-apt-malware-operations/<br><br>
    Thanks!<br><p>Jake Warren <br> <span>Level 2 Sr. Network
                Security Analyst</span><br><a href="http://www.masergy.com/">www.masergy.com</a></p>
  </div>
mex | 17 Jul 10:29 2014
Picon

RosettaFlash-Signature


totally untested, might get sume tuning in the within/distance-section
behing the callback-arg

#
# http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
# http://miki.it/RosettaFlash/RosettaFlash.pdf
# http://quaxio.com/jsonp_handcrafted_flash_files/
#
# credits to  <at> mikispag helped me getting the regex right
#

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"RosettaFlash Exploit-Attempt"; flow:established,to_server;
uricontent:"?callback=CWS"; nocase; uricontent="hC", within:9;
pcre:"/callback=CWS\w{5}hC\w{50,}/i";
reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/;
reference:url, miki.it/RosettaFlash/RosettaFlash.pdf;
reference:quaxio.com/jsonp_handcrafted_flash_files/;
classtype:web-application-attack;  sid:XXXXXXXXXXXXXX; rev:2;)

regards,

mex
Kevin Ross | 17 Jul 10:16 2014

SIG: ET TROJAN W32/Aibatook.Banker CnC Beacon

Hi,

This beacon appears to stay the same across multiple samples and also it is present in an initial downloader type component too which given both display same behaviors I think may have actually been an update as it does this beacon, gets response back, downloads EXE claiming to be Audio file (which fires sig) and then the next sample downloaded which had a .mp3 extension continues doing this beacon so I think it was an update across multiple samples and versions.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Aibatook.Banker CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/u.html"; fast_pattern; http_uri; depth:7; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| Trident/6.0)"; http_header; content:!"Referer|3A|"; http_header; classtype:trojan-activity; reference:url,www.welivesecurity.com/2014/07/16/win32aibatook/; reference:md5,b4ea519e84491c9dc033ecd4dc396313; sid:198331; rev:1;)

Regards,
Kevin
<div><div dir="ltr">
<div>Hi,<br><br>
</div>
<div>This beacon appears to stay the same across multiple samples and also it is present in an initial downloader type component too which given both display same behaviors I think may have actually been an update as it does this beacon, gets response back, downloads EXE claiming to be Audio file (which fires sig) and then the next sample downloaded which had a .mp3 extension continues doing this beacon so I think it was an update across multiple samples and versions.<br>
</div>
<div>
<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Aibatook.Banker CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/u.html"; fast_pattern; http_uri; depth:7; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| Trident/6.0)"; http_header; content:!"Referer|3A|"; http_header; classtype:trojan-activity; reference:url,<a href="http://www.welivesecurity.com/2014/07/16/win32aibatook/">www.welivesecurity.com/2014/07/16/win32aibatook/</a>; reference:md5,b4ea519e84491c9dc033ecd4dc396313; sid:198331; rev:1;)<br><br>
</div>Regards,<br>Kevin<br>
</div></div>
waldo kitty | 17 Jul 05:58 2014
X-Face
Picon

nighthunter??


i'm sure there are but i still wanna ask... anyone working on this thing?? is it 
valid or??

http://www.cyphort.com/blog/nighthunter-massive-campaign-steal-credentials-revealed/

--

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.
Francis Trudeau | 16 Jul 23:37 2014
Picon

Daily Ruleset Update Summary 07/16/2014

 [***] Summary: [***]

 6 new Open signatures, 19 new Pro (6+13).  Soraya, Banload, Various
Android (SMSSend, Infostealer), SweetOrange.

 Thanks:   <at> EKWatcher

 [+++]          Added rules:          [+++]

 Open:

  2018680 - ET TROJAN Soraya Credit Card Exfiltration (trojan.rules)
  2018681 - ET TROJAN W32/Kazy.325252 Variant CnC Beacon 1 (trojan.rules)
  2018682 - ET TROJAN W32/Kazy.325252 Variant CnC Beacon 2 (trojan.rules)
  2018683 - ET TROJAN Backdoor.Win32.Androm.dtrv Checkin 2 (trojan.rules)
  2018685 - ET TROJAN Win32/Aibatook checkin (trojan.rules)
  2018686 - ET CURRENT_EVENTS Possible Malvertising Redirect URI
Struct Jul 16 2014 (current_events.rules)

 Pro:

  2808369 - ETPRO MALWARE Adware.InstallCore.B Checkin (malware.rules)
  2808370 - ETPRO TROJAN TrojanDownloader Win32/Banload Download 4 -
SET (trojan.rules)
  2808371 - ETPRO TROJAN TrojanDownloader Win32/Banload Download 5 -
SET (trojan.rules)
  2808372 - ETPRO TROJAN TrojanDownloader Win32/Banload Download 6 -
SET (trojan.rules)
  2808373 - ETPRO TROJAN TrojanDownloader Win32/Banload Download 7 -
SET (trojan.rules)
  2808374 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.CM Checkin
(mobile_malware.rules)
  2808375 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.RZ Checkin
(mobile_malware.rules)
  2808376 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.RZ Checkin 2
(mobile_malware.rules)
  2808377 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.IA Checkin
(mobile_malware.rules)
  2808378 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.IA Checkin 2
(mobile_malware.rules)
  2808379 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.IA Checkin 3
(mobile_malware.rules)
  2808380 - ETPRO TROJAN Trojan.Agent.10815 dropper (trojan.rules)
  2808381 - ETPRO CURRENT_EVENTS SweetOrange EK Thread 2 Specific
Landing URI Struct Jul 16 2014 (current_events.rules)

 [///]     Modified active rules:     [///]

  2018579 - ET TROJAN Backdoor.Win32.Androm.dtrv Checkin (trojan.rules)
  2806339 - ETPRO TROJAN TrojanDownloader Win32/Banload Download 4
(trojan.rules)
  2807443 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Svpeng.a Checkin
(mobile_malware.rules)
  2807921 - ETPRO MOBILE_MALWARE Android.Monitor.MobileSpy.I Checkin
(mobile_malware.rules)

 [---]         Removed rules:         [---]

  2806338 - ETPRO TROJAN TrojanDownloader Win32/Banload Download 4 -
SET (trojan.rules)
Kevin Ross | 16 Jul 13:43 2014

SIGS: W32/Kazy.325252 Variant

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Kazy.325252 Variant CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:".php?p="; fast_pattern; http_uri; offset:2; depth:7; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; content:"Accept|3A| text/*, application/*, */*|0D 0A|"; http_header; pcre:"/^\x2F[a-z]{1}\x2Ephp\x3Fp\x3D[a-z0-9}{30,}$/Ui"; classtype:trojan-activity; reference:url,87cdd25ac537280cc6751050050cae9c; sid:1299911; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Kazy.325252 Variant CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/track/?ip="; fast_pattern; http_uri; depth:11; content:"&data="; http_uri; distance:0; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; content:"Accept|3A| text/*, application/*, */*|0D 0A|"; http_header; pcre:"/^\x2Ftrack\x2F\x3Fip\x3D[0-9]{1}&data\x3D/U"; classtype:trojan-activity; reference:url,87cdd25ac537280cc6751050050cae9c; sid:1299912; rev:1;)


Kind Regards,
Kevin
<div><div dir="ltr">alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Kazy.325252 Variant CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:".php?p="; fast_pattern; http_uri; offset:2; depth:7; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; content:"Accept|3A| text/*, application/*, */*|0D 0A|"; http_header; pcre:"/^\x2F[a-z]{1}\x2Ephp\x3Fp\x3D[a-z0-9}{30,}$/Ui"; classtype:trojan-activity; reference:url,87cdd25ac537280cc6751050050cae9c; sid:1299911; rev:1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Kazy.325252 Variant CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/track/?ip="; fast_pattern; http_uri; depth:11; content:"&amp;data="; http_uri; distance:0; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; content:"Accept|3A| text/*, application/*, */*|0D 0A|"; http_header; pcre:"/^\x2Ftrack\x2F\x3Fip\x3D[0-9]{1}&amp;data\x3D/U"; classtype:trojan-activity; reference:url,87cdd25ac537280cc6751050050cae9c; sid:1299912; rev:1;)<br><br><div>
<br>Kind Regards,<br>Kevin<br>
</div>
</div></div>

Gmane