Francis Trudeau | 21 Aug 00:18 2014
Picon

Daily Ruleset Update Summary 08/20/2014

 [***] Summary: [***]

 11 new Open signatures, 21 new Pro.  Wordpress Vuln, OneLouder,
Various AndroidOS, Wetware.

 Thanks:  Jake Warren, rmkml, tdzmont,  <at> kafeine and  <at> EKwatcher

 [+++]          Added rules:          [+++]

 Open:

  2018965 - ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014
M3 (current_events.rules)
  2018966 - ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014
M1 (current_events.rules)
  2018967 - ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014
M2 (current_events.rules)
  2018968 - ET TROJAN Python.Ragua Checkin (trojan.rules)
  2018969 - ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR
Download (web_client.rules)
  2018970 - ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR
filename detected (web_client.rules)
  2018971 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)
(current_events.rules)
  2018972 - ET WEB_CLIENT DRIVEBY Social Engineering Toolkit Web Clone
code detected (web_client.rules)
  2018973 - ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 20 2014 D1
(current_events.rules)
  2018974 - ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 20 2014 D2
(current_events.rules)
(Continue reading)

Jake Warren | 20 Aug 21:02 2014

Machete APT Campaign Sigs

One signature is specific to the Machete campaign and the other is an indicator signature to detect the usage of the Java applet attack from the Social Engineer Toolkit.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Possible Machete Exploit Server Response"; flow:established,from_server; file_data; content:"|3c|param name=|22|"; content:"value=|22|nix.bin|22 3e|"; distance:0; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:xxxxx; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible SET Java Applet Request"; flow:established,to_server; content:"GET"; http_method; content:"/Signed_Update.jar"; http_uri; content:"User-Agent|3a| Java"; http_header; pcre:"/\/Signed_Update\.jar$/U"; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:xxxxx; rev:1;)

Jake Warren
Level 2 Sr. Network Security Analyst
www.masergy.com


<div><div dir="ltr">One signature is specific to the Machete campaign and the other is an indicator signature to detect the usage of the Java applet attack from the Social Engineer Toolkit.<br><div>
<br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"Possible Machete Exploit Server Response"; flow:established,from_server; file_data; content:"|3c|param name=|22|"; content:"value=|22|nix.bin|22 3e|"; distance:0; reference:url,<a href="http://securelist.com/blog/research/66108/el-machete/">securelist.com/blog/research/66108/el-machete/</a>; classtype:trojan-activity; sid:xxxxx; rev:1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"Possible SET Java Applet Request"; flow:established,to_server; content:"GET"; http_method; content:"/Signed_Update.jar"; http_uri; content:"User-Agent|3a| Java"; http_header; pcre:"/\/Signed_Update\.jar$/U"; reference:url,<a href="http://securelist.com/blog/research/66108/el-machete/">securelist.com/blog/research/66108/el-machete/</a>; classtype:trojan-activity; sid:xxxxx; rev:1;)<br><span class=""><div>
        <div>
          <div dir="ltr">
            <div><span>
                  <div>
                    <p>Jake Warren <br> <span>Level

                                2 Sr. Network Security Analyst</span><br><a href="http://www.masergy.com/" target="_blank">www.masergy.com</a></p>
                  </div>
                </span></div>
          </div>
        </div>
      </div></span><br>
</div>
</div></div>
rmkml | 19 Aug 23:20 2014
Picon

please check similar sigs UA BOT

Hi,

Could you check if these two and last sigs are similar please ?:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent inbound
(bot)"; flow:to_server,established; 
content:"User-Agent|3a| bot/"; fast_pattern:only; http_header; nocase; threshold: type limit,
count 3, seconds 300, track by_src; 
reference:url,doc.emergingthreats.net/bin/view/Main/2008228; classtype:trojan-activity;
sid:2008228; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent outbound
(bot)"; flow:to_server,established; 
content:"User-Agent|3a| bot/"; nocase; http_header; threshold: type limit, count 3, seconds 300,
track by_src; 
reference:url,doc.emergingthreats.net/bin/view/Main/2003622; classtype:trojan-activity;
sid:2003622; rev:11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN JCE Joomla Extension User-Agent
(BOT)"; flow:to_server,established; 
content:"User-Agent|3a| BOT/0.1 (BOT for JCE)|0d 0a|"; http_header;
reference:url,exploit-db.com/exploits/17734/;

reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; 
classtype:attempted-recon; sid:2018327; rev:2;)

Remove sid 2018327 or like add new negated content on two first sigs ?
( content:!"User-Agent|3a| BOT/0.1 (BOT for JCE)|0d 0a|"; http_header; )

Discovered during http://etplc.org project.

Regards
 <at> Rmkml
Francis Trudeau | 19 Aug 22:28 2014
Picon

Daily Ruleset Update Summary 08/19/2014

 [***] Summary: [***]

 11 new Open signatures, 16 new Pro (11+5).  Angler EK, Various
AndroidOS, ZeroLocker.

 Thanks:   <at> EKwatcher  <at> StopMalvertisin and  <at> kafeine

 [+++]          Added rules:          [+++]

 Open:

  2018954 - ET CURRENT_EVENTS Angler Encoded Shellcode IE (current_events.rules)
  2018955 - ET CURRENT_EVENTS Angler Encoded Shellcode Silverlight
(current_events.rules)
  2018956 - ET CURRENT_EVENTS Angler Encoded Shellcode Flash
(current_events.rules)
  2018957 - ET CURRENT_EVENTS Angler Encoded Shellcode Java
(current_events.rules)
  2018958 - ET TROJAN Worm.Win32.Vobfus Checkin 3 (trojan.rules)
  2018959 - ET POLICY PE EXE or DLL Windows file download HTTP (policy.rules)
  2018960 - ET TROJAN ZeroLocker Downloading Config (trojan.rules)
  2018961 - ET TROJAN ZeroLocker Activity (trojan.rules)
  2018962 - ET TROJAN ZeroLocker Activity (trojan.rules)
  2018963 - ET CURRENT_EVENTS ZeroLocker EXE Download (current_events.rules)
  2018964 - ET TROJAN Variant.Strictor Dropper (trojan.rules)

 Pro:

  2808584 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fakeguard.a Checkin
(mobile_malware.rules)
  2808585 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fakeguard.a Checkin
2 (mobile_malware.rules)
  2808586 - ETPRO MALWARE PUP Win32/WuJi.A Checkin (malware.rules)
  2808587 - ETPRO TROJAN Win32/CoinMiner.SO .exe download (trojan.rules)
  2808588 - ETPRO TROJAN Linux.DDoS Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2006445 - ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM
(web_server.rules)
  2014340 - ET MALWARE W32/GameVance Adware User Agent (malware.rules)
  2017136 - ET MALWARE Adware.Gamevance.AV Checkin (malware.rules)
  2018755 - ET SCAN Possible WordPress xmlrpc.php BruteForce in
Progress (scan.rules)
  2018951 - ET TROJAN Tor Based Locker Page (Torrentlocker) (trojan.rules)
  2805991 - ETPRO TROJAN Win32.Dapato.bsyi Checkin (trojan.rules)
  2806324 - ETPRO TROJAN Trojan-Downloader.Win32.Agent.gzfw Checkin
(trojan.rules)
  2806378 - ETPRO TROJAN Win32/Moure.A Checkin (trojan.rules)
  2806440 - ETPRO TROJAN Trojan.Generic.KDV.807443 Checkin (trojan.rules)
  2806466 - ETPRO TROJAN Trojan.GenericKD.1011510 checkin (trojan.rules)
  2806809 - ETPRO TROJAN Win32/Agent.URS Checkin (trojan.rules)
  2807038 - ETPRO TROJAN Win32/Genome.I Checkin (trojan.rules)
  2807082 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.PS Checkin 2
(mobile_malware.rules)
  2807089 - ETPRO TROJAN Backdoor.Win32.Agent.dbse Checkin (trojan.rules)
  2807788 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Blocal.a Checkin
(mobile_malware.rules)
  2807931 - ETPRO MOBILE_MALWARE Android/Badao.A Checkin 2
(mobile_malware.rules)
  2807941 - ETPRO TROJAN Trojan.Win32.Blocker.ctrojn Checkin (trojan.rules)
  2807984 - ETPRO TROJAN Trojan.Win32.Iframer.a Checkin (trojan.rules)
  2808072 - ETPRO MALWARE Win32/SquareNet.A Checkin (malware.rules)
  2808101 - ETPRO MOBILE_MALWARE Android/UUPAY.B Checkin (mobile_malware.rules)
  2808168 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.C Checkin
(mobile_malware.rules)
  2808273 - ETPRO TROJAN MiniDuke variant C&C activity (trojan.rules)

 [---]         Removed rules:         [---]

  2017837 - ET TROJAN Possible Zbot Activity Common Download Struct
(trojan.rules)
  2806155 - ETPRO TROJAN Worm.Win32.Vobfus Checkin 3 (trojan.rules)
Francis Trudeau | 19 Aug 01:09 2014
Picon

Daily Ruleset Update Summary 08/18/2014

 [***] Summary: [***]

 11 new Open rules, 24 new Pro (11+13).  Abuse.ch SSL Blacklist,
Various Android, Win32/Rovnix, Tofsee.

 Thanks:   <at> kaffeine and  <at> abuse_ch

  [+++]          Added rules:          [+++]

 Open:

  2018942 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS MITM) (trojan.rules)
  2018943 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Vawtrak MITM) (trojan.rules)
  2018944 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Vawtrak MITM) (trojan.rules)
  2018945 - ET MOBILE_MALWARE Android/Locker.B Checkin 1 (mobile_malware.rules)
  2018946 - ET MOBILE_MALWARE Android/Locker.B Checkin 2 (mobile_malware.rules)
  2018947 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2018948 - ET TROJAN Likely Synolocker .onion DNS lookup (trojan.rules)
  2018949 - ET TROJAN Win32/PSW.Steam.NBP Checkin (trojan.rules)
  2018950 - ET CURRENT_EVENTS DRIVEBY Angler EK Landing Aug 16 2014
(current_events.rules)
  2018951 - ET TROJAN Tor Based Locker Page (Zerolocker) (trojan.rules)
  2018953 - ET TROJAN ShellBot.C retrieval (trojan.rules)

 Pro:

  2808571 - ETPRO TROJAN Win.Trojan.Chewbacca connectivity check (trojan.rules)
  2808572 - ETPRO MALWARE Win32/AdWare.Laban.G Checkin (malware.rules)
  2808573 - ETPRO MALWARE PUP Win32/HiddenStart.B Checkin (malware.rules)
  2808574 - ETPRO TROJAN Win32/Emogen-F Checkin (trojan.rules)
  2808575 - ETPRO TROJAN Trojan.Graybird IP Check (trojan.rules)
  2808576 - ETPRO TROJAN Win32/Rovnix.H GET (trojan.rules)
  2808577 - ETPRO TROJAN Win32/Tofsee Loader Config Download (trojan.rules)
  2808578 - ETPRO TROJAN Win32/PSW.Papras.CK Checkin (trojan.rules)
  2808579 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.AVPass.a Checkin
(mobile_malware.rules)
  2808580 - ETPRO TROJAN BKDR_QULKONWI.GHR Checkin (trojan.rules)
  2808581 - ETPRO EXPLOIT VMTurbo Ops Manager Remote Command Execution
(exploit.rules)
  2808582 - ETPRO MOBILE_MALWARE Android.Trojan.Joye.D Checkin
(mobile_malware.rules)
  2808583 - ETPRO MOBILE_MALWARE Android.Gabas.A Checkin (mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2018367 - ET MALWARE W32/iBryte.Adware Affiliate Campaign Executable
Download (malware.rules)
  2804473 - ETPRO MALWARE Win32/Adware.Gamevance.BE Checkin 2 (malware.rules)
  2806324 - ETPRO TROJAN Trojan-Downloader.Win32.Agent.gzfw Checkin
(trojan.rules)
  2807850 - ETPRO TROJAN Trojan/MSIL.bfsx Checkin (trojan.rules)
  2808008 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Ackposts.a Checkin
(mobile_malware.rules)
  2808270 - ETPRO TROJAN Win32.Trojan.Hijacker.Akym Checkin (trojan.rules)
  2808565 - ETPRO TROJAN Win32/Banjori.A Checkin (trojan.rules)

 [---]         Removed rules:         [---]

  2806557 - ETPRO TROJAN Trojan-Downloader.Win32.VB.gznp Checkin (trojan.rules)
Francis Trudeau | 15 Aug 00:00 2014
Picon

Daily Ruleset Update Summary 08/14/2014

 [***] Summary: [***]

 6 new Open signatures, 12 new Pro (6+6).  Abuse.ch malicious SSL,
ClickFraud Trojan Socks5, Suspicious X-mailer Synapse.

 Thanks:   <at> EKWatcher and  <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2018935 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2018936 - ET TROJAN Suspicious X-mailer Synapse (trojan.rules)
  2018937 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2018939 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (CryptoWall C2) (trojan.rules)
  2018940 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dyre C2) (trojan.rules)
  2018941 - ET TROJAN ClickFraud Trojan Socks5 Init Response (trojan.rules)

 Pro:

  2808565 - ETPRO TROJAN Win32/Banjori.A Checkin (trojan.rules)
  2808566 - ETPRO TROJAN Win32/Rovnix.H Retrieving Fake User-Agent
(trojan.rules)
  2808567 - ETPRO TROJAN Trojan.Zbot Download (trojan.rules)
  2808568 - ETPRO TROJAN TrojanDownloader.Murlo.jr Checkin (trojan.rules)
  2808569 - ETPRO CURRENT_EVENTS Win32/Zbot angryflo.ru GET Aug 14
2014 (current_events.rules)
  2808570 - ETPRO TROJAN Win32.Sisron.B Checkin 2 (trojan.rules)

 [///]     Modified active rules:     [///]

  2018028 - ET TROJAN W32/Madness Checkin (trojan.rules)
  2018114 - ET TROJAN DNS Query for Known Chewbacca CnC Server (trojan.rules)
  2018855 - ET TROJAN Possible ClickFraud Trojan Socks5 Connection
(trojan.rules)
  2018928 - ET TROJAN Unknown Trojan Dropped By Archie.EK (trojan.rules)
  2801959 - ETPRO TROJAN Bredolap/Rebhip/Bifrose Checkin (trojan.rules)
  2803936 - ETPRO TROJAN Backdoor.Win32.Sheldor.dt Checkin (trojan.rules)
  2807180 - ETPRO TROJAN Win32.Sisron.B Checkin Checkin (trojan.rules)
  2807262 - ETPRO TROJAN Win32/Heloag.A Checkin 2 (trojan.rules)
  2807384 - ETPRO TROJAN Win32.Hupigon Variant (trojan.rules)
  2807771 - ETPRO TROJAN Win32/Kuluoz.D Checkin (trojan.rules)
  2807823 - ETPRO TROJAN Trojan-Dropper.Win32.Sysn.acbq Checkin (trojan.rules)
  2807850 - ETPRO TROJAN Trojan/MSIL.bfsx Checkin (trojan.rules)
  2807981 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Feejar.D Checkin
(mobile_malware.rules)
  2808267 - ETPRO TROJAN Win32.Pandemiya Checkin (trojan.rules)

 [---]         Removed rules:         [---]

  2808548 - ETPRO TROJAN Trojan.Win32.Yakes.fdph SSL Cert (trojan.rules)
Francis Trudeau | 13 Aug 23:22 2014
Picon

Daily Ruleset Update Summary 08/13/2014 - Part 2

 [***] Summary: [***]

 10 new Pro rules.  Various Android, Wysotot.G, Neshta.A.

 [+++]          Added rules:          [+++]

  2808522 - ETPRO MALWARE Win32/Wysotot.G Checkin (malware.rules)
  2808556 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Cokri.a
Checkin (mobile_malware.rules)
  2808557 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Waller.a Checkin
(mobile_malware.rules)
  2808558 - ETPRO MOBILE_MALWARE AndroidOS/Lemon.A Checkin
(mobile_malware.rules)
  2808559 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Funtasy.a
Checkin (mobile_malware.rules)
  2808560 - ETPRO TROJAN Win32.Neshta.A Checkin 3 (trojan.rules)
  2808561 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Stealer.a
Checkin 2 (mobile_malware.rules)
  2808562 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Recal.a Checkin
2 (mobile_malware.rules)
  2808563 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.AHB Checkin
(mobile_malware.rules)
  2808564 - ETPRO MOBILE_MALWARE SMSPay.AO (mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2014200 - ET TROJAN Dapato/Cleaman Checkin (trojan.rules)
  2014293 - ET TROJAN Smart Fortress FakeAV/Kryptik.ABNC Checkin (trojan.rules)
  2016455 - ET TROJAN Possible WEBC2-GREENCAT Response - Embedded CnC
APT1 Related (trojan.rules)
  2018169 - ET TROJAN Gulpix/PlugX Client Request (trojan.rules)
  2803167 - ETPRO POLICY MOBILE Android Device User-Agent (policy.rules)
  2805031 - ETPRO TROJAN Win32/Weelsof.A Checkin (trojan.rules)
  2805094 - ETPRO TROJAN W32/VB.POZ!tr.dldr exec SQL command (exec
retorna dados) (trojan.rules)
  2805152 - ETPRO TROJAN HackTool.MSIL.Flooder.gen Checkin (trojan.rules)
  2805155 - ETPRO TROJAN Kazy.57247 Checkin (trojan.rules)
  2805200 - ETPRO TROJAN Win32/Spy.Keydoor.D Checkin (trojan.rules)
  2806194 - ETPRO TROJAN Trojan.AVKill.28805 Checkin (trojan.rules)
  2806318 - ETPRO TROJAN Downloader.BMP Checkin 1 (trojan.rules)
  2806319 - ETPRO TROJAN Downloader.BMP Checkin 2 (trojan.rules)
  2806683 - ETPRO TROJAN Email-Worm.Win32.Wangy Checkin (trojan.rules)
  2806701 - ETPRO TROJAN MAC.OSX.Backdoor.Janicab.A Download (trojan.rules)
  2806703 - ETPRO TROJAN MAC.OSX.Backdoor.Janicab.A CnC server address
response (trojan.rules)
  2806939 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.c Checkin
(mobile_malware.rules)
  2807397 - ETPRO TROJAN Backdoor.Win32.Tankedoor.01.a Checkin via IRC
(trojan.rules)
  2808053 - ETPRO MOBILE_MALWARE Android/SmsSend.ET Checkin
(mobile_malware.rules)
  2808168 - ETPRO MOBILE_MALWARE
Android.Riskware.SmsPay.C/SMSSend.BZ/SMSreg (mobile_malware.rules)
  2808264 - ETPRO TROJAN Trojan.Win32.FrauDrop.dbnyoz Checkin (trojan.rules)
  2808265 - ETPRO TROJAN Trojan.Win32.FrauDrop.dbnyoz Checkin 2 (trojan.rules)
  2808309 - ETPRO TROJAN Win32/Beaugrit.gen!AAA Checkin (trojan.rules)
  2808347 - ETPRO TROJAN Trojan.Perl.Shellbot.BD Bot Nick in IRC (trojan.rules)
  2808374 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.CM Checkin
(mobile_malware.rules)
  2808491 - ETPRO MOBILE_MALWARE AndroidOS/Apperhand.A Checkin
(mobile_malware.rules)
  2808517 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.MisoSMS.a
Response SET (mobile_malware.rules)

 [---]         Removed rules:         [---]

  2808522 - ETPRO TROJAN Win32/Wysotot.G Checkin (trojan.rules)
Francis Trudeau | 13 Aug 19:02 2014
Picon

Daily Ruleset Update Summary 08/13/2014

 [***] Summary: [***]

 7 new Open rules.  Archie Exploit Kit, OneLouder.

 [+++]          Added rules:          [+++]

  2018928 - ET TROJAN Unknown Trojan Dropped By Archie.EK (trojan.rules)
  2018929 - ET TROJAN OneLouder Common URI Struct (trojan.rules)
  2018930 - ET CURRENT_EVENTS DRIVEBY Archie.EK PluginDetect URI
Struct (current_events.rules)
  2018931 - ET CURRENT_EVENTS DRIVEBY Archie.EK CVE-2013-2551 URI
Struct (current_events.rules)
  2018932 - ET CURRENT_EVENTS DRIVEBY Archie.EK IE Exploit URI Struct
(current_events.rules)
  2018933 - ET CURRENT_EVENTS DRIVEBY Archie.EK Landing (current_events.rules)
  2018934 - ET CURRENT_EVENTS DRIVEBY Archie.EK IE CVE-2013-2551
Payload Struct (current_events.rules)

 [///]     Modified active rules:     [///]

  2804457 - ETPRO TROJAN TrojanSpy.Win32/Bancos.gen!A sending info via
smtp (trojan.rules)
  2808446 - ETPRO TROJAN Win32.Rbrute.a Checkin (trojan.rules)
  2808546 - ETPRO TROJAN Backdoor.MSIL/Parama.A Checkin (trojan.rules)
Kevin Ross | 13 Aug 14:47 2014

Question about abuse.ch sigs

Hi,

I have a quick question as to the abuse.ch sigs that are now appearing. Now I understand it comes from here:

https://www.abuse.ch/?p=8180
https://sslbl.abuse.ch/blacklist/sslblacklist.rules

Now my question is are these directly publishing from this list or is there some cleanup? I ask because there seems to be some discrepancy in the number of rules and I am wondering if I need to use the sslblacklist.rules or are they being published with full coverage in ET TROJAN meaning I wouldn't/shouldn't run sslblacklist.rules too? If coverage won't be the complete duplication of this list how are they selected for inclusion into ET TROJAN?

sslblacklist.rules
# ~]# wc -l sslblacklist.rules
175 sslblacklist.rules

ET TROJAN
# cat /etc/suricata/rules/* | grep ET\ TROJAN\ ABUSE.CH | wc -l
67

Thanks,
Kevin

<div><div dir="ltr"><div>Hi,<br><br>I have a quick question as to the <a href="http://abuse.ch">abuse.ch</a> sigs that are now appearing. Now I understand it comes from here:<br><br><a href="https://www.abuse.ch/?p=8180">https://www.abuse.ch/?p=8180</a><br><a href="https://sslbl.abuse.ch/blacklist/sslblacklist.rules">https://sslbl.abuse.ch/blacklist/sslblacklist.rules</a><br><br>Now my question is are these directly publishing from this list or is there some cleanup? I ask because there seems to be some discrepancy in the number of rules and I am wondering if I need to use the sslblacklist.rules or are they being published with full coverage in ET TROJAN meaning I wouldn't/shouldn't run sslblacklist.rules too? If coverage won't be the complete duplication of this list how are they selected for inclusion into ET TROJAN?<br><br>sslblacklist.rules<br># ~]# wc -l sslblacklist.rules<br>175 sslblacklist.rules<br><br>ET TROJAN<br># cat /etc/suricata/rules/* | grep ET\ TROJAN\ <a href="http://ABUSE.CH">ABUSE.CH</a> | wc -l<br>67<br><br>Thanks,<br>
Kevin<br><br>
</div></div></div>
Kevin Ross | 13 Aug 12:56 2014

Good Magnitude Write Up

http://blog.spiderlabs.com/2014/08/a-peek-into-the-lions-den-the-magnitude-aka-popads-exploit-kit.html

quite interesting - especially getting some insights from the server side and actual criminal thinking of some of the things.


<div><div dir="ltr"><div>
<a href="http://blog.spiderlabs.com/2014/08/a-peek-into-the-lions-den-the-magnitude-aka-popads-exploit-kit.html">http://blog.spiderlabs.com/2014/08/a-peek-into-the-lions-den-the-magnitude-aka-popads-exploit-kit.html</a><br><br>quite interesting - especially getting some insights from the server side and actual criminal thinking of some of the things.<br><br><br>
</div></div></div>
Kevin Ross | 13 Aug 10:58 2014

Re: SIG: ET TROJAN W32/Dapato.Downloader Initial CnC Beacon

Hi,

Just a quick update.When analysing some more alerts a bit later I found W32/Dyre 6th August self sign cert alerts firing too which was coming from the infected host. So while the downloader wasn't detected it seems the payload was Dyre and it was detected.

Kind regards,
Kevin Ross


On 13 August 2014 09:25, Kevin Ross <kevross33-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
Hi,

This was downloaded from Romania; I looked into the extracted EXE and found matching execution traffic in my network which was not picked up for the CnC. I have attached a PCAP from Anubis of this traffic and you can see on Virustotal here https://www.virustotal.com/en/file/2f35448f468647e2d4bd66bbd4cd5b8ac53b1ea06007a286d95c24cd4700bd40/analysis/

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Dapato.Downloader Initial CnC Beacon"; flow:established,to_server; content:"/stats/"; http_uri; depth:7; content:".rar"; http_uri; content:"User-Agent|3A| Opera|0D 0A|"; http_header; classtype:trojan-activity; reference:md5,cb53d71249673faf2386e1ccd68bedc7; sid:198311; rev:1;)

Kind Regards,
Kevin Ross


<div>
<div dir="ltr"><div>Hi,<br><br>Just a quick update.When analysing some more alerts a bit later I found W32/Dyre 6th August self sign cert alerts firing too which was coming from the infected host. So while the downloader wasn't detected it seems the payload was Dyre and it was detected.<br><br>Kind regards,<br>Kevin Ross<br>
</div></div>
<div class="gmail_extra">
<br><br><div class="gmail_quote">On 13 August 2014 09:25, Kevin Ross <span dir="ltr">&lt;<a href="mailto:kevross33@..." target="_blank">kevross33@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">
<div dir="ltr"><div>Hi,<br><br>This was downloaded from Romania; I looked into the extracted EXE and found matching execution traffic in my network which was not picked up for the CnC. I have attached a PCAP from Anubis of this traffic and you can see on Virustotal here <a href="https://www.virustotal.com/en/file/2f35448f468647e2d4bd66bbd4cd5b8ac53b1ea06007a286d95c24cd4700bd40/analysis/" target="_blank">https://www.virustotal.com/en/file/2f35448f468647e2d4bd66bbd4cd5b8ac53b1ea06007a286d95c24cd4700bd40/analysis/</a><br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Dapato.Downloader Initial CnC Beacon"; flow:established,to_server; content:"/stats/"; http_uri; depth:7; content:".rar"; http_uri; content:"User-Agent|3A| Opera|0D 0A|"; http_header; classtype:trojan-activity; reference:md5,cb53d71249673faf2386e1ccd68bedc7; sid:198311; rev:1;)<br><br>Kind Regards,<br>Kevin Ross<br><br>
</div></div>
</blockquote>
</div>
<br>
</div>
</div>

Gmane