Kevin Ross | 1 Aug 00:04 2014

SIG: ET TROJAN W32/Pgift.Backdoor APT CnC Beacon

Port 8080 is used shown in the example but not sure if this is consistent & if it is always on an off HTTP port.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Pgift.Backdoor APT CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/pgift.asp"; fast_pattern; http_uri; depth:10; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B|)"; http_header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(\x0D\x0A|\x3A\d{2,5}\x0D\x0A)/H"; classtype:trojan-activity; reference:url,www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html; sid:123991; rev:1;)

Kind Regards,
Kevin
<div><div dir="ltr">
<div>Port 8080 is used shown in the example but not sure if this is consistent &amp; if it is always on an off HTTP port.<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/Pgift.Backdoor APT CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/pgift.asp"; fast_pattern; http_uri; depth:10; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B|)"; http_header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(\x0D\x0A|\x3A\d{2,5}\x0D\x0A)/H"; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html">www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html</a>; sid:123991; rev:1;)<br><br>
</div>Kind Regards,<br>Kevin<br>
</div></div>
Francis Trudeau | 31 Jul 23:28 2014
Picon

Daily Ruleset Update Summary 07/31/2014

 [***] Summary: [***]

 14 new Open signatures, 17 new Pro (14+3).  Backoff POS, Pbstealer,
ABUSE.CH Malicious SSL certificates.

 Thanks:  ABUSE.CH

 [+++]          Added rules:          [+++]

 Open:

  2018494 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018600 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018736 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018856 - ET TROJAN Windows executable base64 encoded (trojan.rules)
  2018857 - ET TROJAN Backoff POS Checkin (trojan.rules)
  2018858 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2018859 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2018860 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2018861 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2018862 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2018863 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2018864 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2018865 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2018866 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)

 Pro:

  2808479 - ETPRO TROJAN Trojan.Win32.Autoit.dbiolu Checkin (trojan.rules)
  2808480 - ETPRO TROJAN Trojan.Win32.Banload.BTVS SQL Checkin (trojan.rules)
  2808481 - ETPRO MOBILE_MALWARE Android-Malicious/Pbstealer Checkin
(mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2808292 - ETPRO MOBILE_MALWARE Android/Simplocker.B Checkin
(mobile_malware.rules)

 [---]  Disabled and modified rules:  [---]

  2808313 - ETPRO TROJAN Win32.Tavex.A Checkin 2 (trojan.rules)

 [---]         Removed rules:         [---]

  2012330 - ET CURRENT_EVENTS HTTP Request to a *.rr.nu domain
(current_events.rules)
  2018494 - ET CURRENT_EVENTS ABUSE.CH SSL Fingerprint Blacklist
Malicious SSL certificate detected (KINS C2) (current_events.rules)
  2018600 - ET CURRENT_EVENTS ABUSE.CH SSL Fingerprint Blacklist
Malicious SSL certificate detected (KINS C2) (current_events.rules)
  2018736 - ET CURRENT_EVENTS ABUSE.CH SSL Fingerprint Blacklist
Malicious SSL certificate detected (KINS C2) (current_events.rules)
  2018847 - ET INFO DYNAMIC_DNS HTTP Request to *.passinggas.net
Domain (Sitelutions) (info.rules)
  2018848 - ET INFO DYNAMIC_DNS Query to *.passinggas.net Domain
(Sitelutions) (info.rules)
  2807775 - ETPRO TROJAN Win32/Injector.gen!ER Checkin (trojan.rules)
Kevin Ross | 31 Jul 16:04 2014

Re: LOCAL SIG SHARE: Generic Malware Beaconing (HTTP POST)

Here is another characteristic sig I missed (this is new and only been tested in 25,000+ user network for the last week).

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Suspicious Long URI - No Parameters To Extend It and Against RFC Advice"; flow:established,to_server; urilen:>255; content:!"&"; http_uri; content:!"Referer|3A|"; http_header; pcre:"/^\x2F[a-z0-9\x2E\x3F\x2F\x3D]{255,}$/Ui"; classtype:trojan-activity; flowbits:set,cncbeacon; flowbits:noalert; sid:1424007; rev:1;)

Regards,
Kevin



On 31 July 2014 13:45, Kevin Ross <kevross33-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
Hi,

I thought I would share some of my local signatures for CnC detection where malware uses HTTP POSTs (because GETs are to difficult to avoid FPs I found out even on what looks like ok features) such as in the attached capture. These are very experimental, extremely localised, not performance focused so will never be able to be in official lists. However locally I have these down to an extremely low FP rate and a nice TP rate but if you wish to use them you will need to do a little bit of work in your own network. Share any useful additions and generic improvements back though :-D

- They work by focusing on HTTP characteristics of many different HTTP POST beacons I studied when developing these. They set a flowbit based on a characteristic and then a final signature at the bottom checks geolocation and does an individual sig message. Originally I wanted this to be contained within each rule but anytime I added the geoip to the characteristic rule it broke the rule :-S no idea why unless someone does?

-  If you wish to use it I would advise focusing on only 1 characteristic rule over a time period or a small set. Whether geolocation is in the individual rule or you are using them like this with flowbit whitelist your local country if possible. That said while US is big for traffic and may be many of your local countries CnC servers being hosted there is very popular; if you are in a country with heavy hosting of CnC servers you can take the choice; negate it to avoid FPs and lose the visibility or leave it. Still this is very much a local choice to countries which are common for your traffic concentrations for any local and other apps.

- Using negations, threshold.conf etc whitelist each of these things until it is tuned to your network. I have attached a PCAP of Yakes from a sandbox from a live sample my monitoring carved out a few hours ago as it came in so you can validate.

As I said very experimental and always be very local but I have eventually gotten to a good point with it and it has detected everything from Kuluoz, Yakes, Adware and a load of other CnC in my network (although often other sigs may be present). Also I test against PCAPs and even matching up to blog posts about malware to see if those would have fire for new malware that is found. A bit of work and not for everyone but it has potential for those who think this might be handy for them.

As I mentioned before any improvements (especially performance & accuracy), new detection parameters etc SHARE.

Kind Regards,
Kevin Ross

# Set potential CnC Beacon Characteristics
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC HTTP POST With No Referer To IP - Short  URI"; flow:established,to_server; urilen:1<>25; content:"POST"; http_method; content:!"ocsp"; http_header; content:!"/AVIS/postSuspectSample"; http_uri; content:!"/api/"; http_uri; content:!"Referer|3A|";  http_header; content:!"Cookie|3A|"; http_header; content:!"avast.com"; http_header; content:!".google.com"; http_header; content:!".amazonaws.com|0D 0A|"; http_header; content:!".macromedia.com|0D 0A|"; http_header; content:!"microsoft.com|0D 0A|"; http_header; content:!".blackberry.com|0D 0A|"; http_header; content:!" Shockwave Flash"; http_header; content:"Content-Length|3A 20|"; http_header; content:!"0"; http_header; within:1;  content:"Host|3A 20|"; http_header; content:"|2E|"; http_header; distance:1; within:3; content:"|2E|";  http_header; distance:1; within:3;content:"|2E|"; http_header; distance:1; within:3; content:"|0D 0A|";  http_header; distance:1; within:4; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0D\x0A/H";  pcre:"/Content-Length\x3A\x20\d{1,3}\x0D\x0A/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1323991; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC HTTP POST With No Referer To IP - Long  URI"; flow:established,to_server; urilen:>65; content:"POST"; http_method; content:!"Referer|3A|";  http_header; content:!"Cookie|3A|"; http_header; content:!"ocsp"; http_header; content:!".google.com"; http_header; content:!"avast.com"; http_header; content:!".amazonaws.com|0D 0A|"; http_header; content:!".macromedia.com|0D 0A|"; http_header; content:!"microsoft.com|0D 0A|"; http_header; content:!".blackberry.com|0D 0A|"; http_header; content:!" Shockwave Flash"; http_header; content:"Content-Length|3A 20|"; http_header; content:!"0"; http_header; within:1;  content:"Host|3A 20|"; http_header; content:"|2E|"; http_header; distance:1; within:3; content:"|2E|";  http_header; distance:1; within:3;content:"|2E|"; http_header; distance:1; within:3; content:"|0D 0A|";  http_header; distance:1; within:4; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0D\x0A/H";  pcre:"/Content-Length\x3A\x20\d{1,3}\x0D\x0A/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1323992; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC HTTP POST With No Referer And User Agent"; flow:established,to_server; content:"POST"; http_method; content:!"/api/"; http_uri; content:!"Referer|3A|"; http_header; content:!"User-Agent|3A|"; http_header; content:!"ocsp"; http_header; content:!".google.com"; http_header; content:!"avast.com"; http_header; content:!".amazonaws.com|0D 0A|"; http_header; content:!".macromedia.com|0D 0A|"; http_header; content:!"Cookie|3A|"; http_header; content:!"microsoft.com|0D 0A|"; http_header; content:!".blackberry.com|0D 0A|"; http_header; content:!" Shockwave Flash"; http_header; content:"Content-Length|3A 20|"; http_header; content:!"0";  http_header; within:1; pcre:"/Content-Length\x3A\x20\d{1,3}\x0D\x0A/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1323994; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC HTTP POST With No Referer And A Single Parameter Defined In Body"; flow:established,to_server; content:"POST"; http_method; content:!"/api/"; http_uri; content:!"ocsp"; http_header; content:!"/smartcard/agent.asp"; http_uri; content:!"Referer| 3A|"; http_header; content:!"Cookie|3A|"; http_header; content:!"avast.com"; http_header; content:!".google.com"; http_header; content:!".amazonaws.com|0D 0A|"; http_header; content:"Content-Length|3A 20|"; http_header; content:!"0"; within:1; http_header; content:"="; http_client_body; depth:10; content:!"|0A|"; http_client_body; distance:0; content:!"&"; http_client_body; distance:0; pcre:"/[a-z0-9\x5F\x2D]{1,9}\x3D[^\r\n]*$/smi"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1323995; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC HTTP POST With No Referer And URI Terminating On Forward Slash Character"; flow:established,to_server; content:"POST"; http_method; urilen:>2; content:!"ocsp"; http_header; content:!"/api/"; http_uri; content:"/ HTTP/1."; fast_pattern; content:!"Referer|3A|"; http_header; content:!"avast.com"; http_header; content:!".google.com"; http_header; content:!".amazonaws.com|0D 0A|"; http_header; content:!".macromedia.com|0D 0A|"; http_header; content:!"microsoft.com|0D 0A|"; http_header; content:!".blackberry.com|0D 0A|"; http_header; content:!" Shockwave Flash"; http_header; content:"Content-Length|3A 20|"; content:!"0"; http_header; within:1; pcre:"/\x2F$/U"; pcre:"/Content-Length\x3A\x20\d{1,3}\x0D\x0A/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1923996; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC HTTP POST With No Referer And URI Terminating On Question Mark"; flow:established,to_server; content:"POST"; http_method; urilen:>2; content:!"ocsp"; http_header; content:!"/api/"; http_uri; content:"? HTTP/1."; fast_pattern; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; content:!"avast.com"; http_header; content:!".google.com"; http_header; content:!".amazonaws.com|0D 0A|"; http_header; content:!".macromedia.com|0D 0A|"; http_header; content:!"microsoft.com|0D 0A|"; http_header; content:!".blackberry.com|0D 0A|"; http_header; content:!" Shockwave Flash"; http_header; content:"Content-Length|3A 20|"; content:!"0"; http_header; within:1; pcre:"/\x3F$/U"; pcre:"/Content-Length\x3A\x20\d{1,3}\x0D\x0A/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1323997; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"MALWARE-CNC HTTP POST With No Referer To IP On Off HTTP  Port"; flow:established,to_server; content:"POST"; http_method; content:!"/api/"; http_uri; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; content:!"ocsp"; http_header; content:!".google.com|0D 0A|"; http_header; content:!"avast.com"; http_header; content:!".amazonaws.com|0D 0A|"; http_header; content:!".macromedia.com|0D 0A|"; http_header; content:!"microsoft.com|0D 0A|"; http_header; content:!".blackberry.com|0D 0A|"; http_header; content:!" Shockwave Flash"; http_header; content:"Host|3A 20|"; http_header; content:"|2E|"; http_header; distance:1; within:3; content:"|2E|"; http_header; distance:1;  within:3;content:"|2E|"; http_header; distance:1; within:3; content:"|3A|"; http_header; distance:1;  within:3; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{1,5}\x0D\x0A/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1323998; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC POST With No Referer With URI Made Up Of Hex Characters"; flow:established,to_server; urilen:>11; content:"POST"; http_method; content:!"|2E|"; http_uri; content:!"?"; http_uri; content:!"ocsp"; http_header; content:!"avast.com"; http_header; content:!"Referer|3A|"; http_header; pcre:"/^\x2F[A-F0-9\x2F]{12,400}$/Ui; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1424001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC POST With No Referer And NSIS User-Agent"; flow:established,to_server; content:"POST"; http_method; content:"NSIS"; http_header; fast_pattern; content:!"Referer"; http_header; pcre:"/User\x2DAgent\x3A\x20[^\r\n]*NSIS/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1424002; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC POST with No Referer And Base64 Encoded Data"; flow:established,to_server; content:"POST"; fast_pattern; http_method; content:"Content-Length|3A 20|"; http_header; content:"|0D 0A|"; http_header; distance:1; within:4; content:!"Referer|3A|"; http_header; content:!"ocsp"; http_header; content:!"avast.com"; content:"|0D 0A 0D 0A|"; isdataat:4,relative; pcre:"/\x0D\x0A\x0D\x0A(?:[a-z0-9+/]{4})*(?:[a-z0-9+/]{2}==|[a-z0-9+/]{3}=)?$/smi"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1424004; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"MALWARE-CNC POST Off HTTP PORT With Uncommon TLD"; flow:established,to_server; content:"POST"; http_method; content:!".uk"; http_header; content:!"ocsp"; http_header; content:!".gov"; http_header; content:!".org"; http_header; content:!".com"; http_header; content:"nhs"; http_header; pcre:"/Host\x3A\x20[^\r\n]\x2E[a-z]{2,4}\x3A\d{2,5}\x0D\x0A/H"; classtype:trojan-activity; flowbits:set,cncbeacon; flowbits:noalert; sid:1424006; rev:1;)

# alert on likely CNC Beacon requests ignoring FP countries
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Potential Malware CnC Beaconing Activity"; flow:established,to_server; flowbits:isset,cncbeacon; geoip:dst,!US,GB,IE,EU; classtype:trojan-activity; sid:1425000; rev:1;)


<div>
<div dir="ltr"><div>Here is another characteristic sig I missed (this is new and only been tested in 25,000+ user network for the last week).<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"MALWARE-CNC Suspicious Long URI - No Parameters To Extend It and Against RFC Advice"; flow:established,to_server; urilen:&gt;255; content:!"&amp;"; http_uri; content:!"Referer|3A|"; http_header; pcre:"/^\x2F[a-z0-9\x2E\x3F\x2F\x3D]{255,}$/Ui"; classtype:trojan-activity; flowbits:set,cncbeacon; flowbits:noalert; sid:1424007; rev:1;)<br><br>Regards,<br>Kevin<br><br>
</div></div>
<div class="gmail_extra">
<br><br><div class="gmail_quote">On 31 July 2014 13:45, Kevin Ross <span dir="ltr">&lt;<a href="mailto:kevross33@..." target="_blank">kevross33@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">
<div dir="ltr"><div>Hi,<br><br>I thought I would share some of my local signatures for CnC detection where malware uses HTTP POSTs (because GETs are to difficult to avoid FPs I found out even on what looks like ok features) such as in the attached capture. These are very experimental, extremely localised, not performance focused so will never be able to be in official lists. However locally I have these down to an extremely low FP rate and a nice TP rate but if you wish to use them you will need to do a little bit of work in your own network. Share any useful additions and generic improvements back though :-D<br><br>- They work by focusing on HTTP characteristics of many different HTTP POST beacons I studied when developing these. They set a flowbit based on a characteristic and then a final signature at the bottom checks geolocation and does an individual sig message. Originally I wanted this to be contained within each rule but anytime I added the geoip to the characteristic rule it broke the rule :-S no idea why unless someone does?<br><br>-&nbsp; If you wish to use it I would advise focusing on only 1 characteristic rule over a time period or a small set. Whether geolocation is in the individual rule or you are using them like this with flowbit whitelist your local country if possible. That said while US is big for traffic and may be many of your local countries CnC servers being hosted there is very popular; if you are in a country with heavy hosting of CnC servers you can take the choice; negate it to avoid FPs and lose the visibility or leave it. Still this is very much a local choice to countries which are common for your traffic concentrations for any local and other apps.<br><br>- Using negations, threshold.conf etc whitelist each of these things until it is tuned to your network. I have attached a PCAP of Yakes from a sandbox from a live sample my monitoring carved out a few hours ago as it came in so you can validate. <br><br>As I said very experimental and always be very local but I have eventually gotten to a good point with it and it has detected everything from Kuluoz, Yakes, Adware and a load of other CnC in my network (although often other sigs may be present). Also I test against PCAPs and even matching up to blog posts about malware to see if those would have fire for new malware that is found. A bit of work and not for everyone but it has potential for those who think this might be handy for them.<br><br>As I mentioned before any improvements (especially performance &amp; accuracy), new detection parameters etc SHARE.<br><br>Kind Regards,<br>Kevin Ross<br><br># Set potential CnC Beacon Characteristics<br>

alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"MALWARE-CNC HTTP POST With No Referer To IP - Short&nbsp; URI"; flow:established,to_server; urilen:1&lt;&gt;25; content:"POST"; http_method; content:!"ocsp"; http_header; content:!"/AVIS/postSuspectSample"; http_uri; content:!"/api/"; http_uri; content:!"Referer|3A|";&nbsp; http_header; content:!"Cookie|3A|"; http_header; content:!"<a href="http://avast.com" target="_blank">avast.com</a>"; http_header; content:!".<a href="http://google.com" target="_blank">google.com</a>"; http_header; content:!".<a href="http://amazonaws.com" target="_blank">amazonaws.com</a>|0D 0A|"; http_header; content:!".<a href="http://macromedia.com" target="_blank">macromedia.com</a>|0D 0A|"; http_header; content:!"<a href="http://microsoft.com" target="_blank">microsoft.com</a>|0D 0A|"; http_header; content:!".<a href="http://blackberry.com" target="_blank">blackberry.com</a>|0D 0A|"; http_header; content:!" Shockwave Flash"; http_header; content:"Content-Length|3A 20|"; http_header; content:!"0"; http_header; within:1;&nbsp; content:"Host|3A 20|"; http_header; content:"|2E|"; http_header; distance:1; within:3; content:"|2E|";&nbsp; http_header; distance:1; within:3;content:"|2E|"; http_header; distance:1; within:3; content:"|0D 0A|";&nbsp; http_header; distance:1; within:4; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0D\x0A/H";&nbsp; pcre:"/Content-Length\x3A\x20\d{1,3}\x0D\x0A/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1323991; rev:1;)<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"MALWARE-CNC HTTP POST With No Referer To IP - Long&nbsp; URI"; flow:established,to_server; urilen:&gt;65; content:"POST"; http_method; content:!"Referer|3A|";&nbsp; http_header; content:!"Cookie|3A|"; http_header; content:!"ocsp"; http_header; content:!".<a href="http://google.com" target="_blank">google.com</a>"; http_header; content:!"<a href="http://avast.com" target="_blank">avast.com</a>"; http_header; content:!".<a href="http://amazonaws.com" target="_blank">amazonaws.com</a>|0D 0A|"; http_header; content:!".<a href="http://macromedia.com" target="_blank">macromedia.com</a>|0D 0A|"; http_header; content:!"<a href="http://microsoft.com" target="_blank">microsoft.com</a>|0D 0A|"; http_header; content:!".<a href="http://blackberry.com" target="_blank">blackberry.com</a>|0D 0A|"; http_header; content:!" Shockwave Flash"; http_header; content:"Content-Length|3A 20|"; http_header; content:!"0"; http_header; within:1;&nbsp; content:"Host|3A 20|"; http_header; content:"|2E|"; http_header; distance:1; within:3; content:"|2E|";&nbsp; http_header; distance:1; within:3;content:"|2E|"; http_header; distance:1; within:3; content:"|0D 0A|";&nbsp; http_header; distance:1; within:4; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0D\x0A/H";&nbsp; pcre:"/Content-Length\x3A\x20\d{1,3}\x0D\x0A/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1323992; rev:1;)<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"MALWARE-CNC HTTP POST With No Referer And User Agent"; flow:established,to_server; content:"POST"; http_method; content:!"/api/"; http_uri; content:!"Referer|3A|"; http_header; content:!"User-Agent|3A|"; http_header; content:!"ocsp"; http_header; content:!".<a href="http://google.com" target="_blank">google.com</a>"; http_header; content:!"<a href="http://avast.com" target="_blank">avast.com</a>"; http_header; content:!".<a href="http://amazonaws.com" target="_blank">amazonaws.com</a>|0D 0A|"; http_header; content:!".<a href="http://macromedia.com" target="_blank">macromedia.com</a>|0D 0A|"; http_header; content:!"Cookie|3A|"; http_header; content:!"<a href="http://microsoft.com" target="_blank">microsoft.com</a>|0D 0A|"; http_header; content:!".<a href="http://blackberry.com" target="_blank">blackberry.com</a>|0D 0A|"; http_header; content:!" Shockwave Flash"; http_header; content:"Content-Length|3A 20|"; http_header; content:!"0";&nbsp; http_header; within:1; pcre:"/Content-Length\x3A\x20\d{1,3}\x0D\x0A/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1323994; rev:1;)<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"MALWARE-CNC HTTP POST With No Referer And A Single Parameter Defined In Body"; flow:established,to_server; content:"POST"; http_method; content:!"/api/"; http_uri; content:!"ocsp"; http_header; content:!"/smartcard/agent.asp"; http_uri; content:!"Referer| 3A|"; http_header; content:!"Cookie|3A|"; http_header; content:!"<a href="http://avast.com" target="_blank">avast.com</a>"; http_header; content:!".<a href="http://google.com" target="_blank">google.com</a>"; http_header; content:!".<a href="http://amazonaws.com" target="_blank">amazonaws.com</a>|0D 0A|"; http_header; content:"Content-Length|3A 20|"; http_header; content:!"0"; within:1; http_header; content:"="; http_client_body; depth:10; content:!"|0A|"; http_client_body; distance:0; content:!"&amp;"; http_client_body; distance:0; pcre:"/[a-z0-9\x5F\x2D]{1,9}\x3D[^\r\n]*$/smi"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1323995; rev:1;)<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"MALWARE-CNC HTTP POST With No Referer And URI Terminating On Forward Slash Character"; flow:established,to_server; content:"POST"; http_method; urilen:&gt;2; content:!"ocsp"; http_header; content:!"/api/"; http_uri; content:"/ HTTP/1."; fast_pattern; content:!"Referer|3A|"; http_header; content:!"<a href="http://avast.com" target="_blank">avast.com</a>"; http_header; content:!".<a href="http://google.com" target="_blank">google.com</a>"; http_header; content:!".<a href="http://amazonaws.com" target="_blank">amazonaws.com</a>|0D 0A|"; http_header; content:!".<a href="http://macromedia.com" target="_blank">macromedia.com</a>|0D 0A|"; http_header; content:!"<a href="http://microsoft.com" target="_blank">microsoft.com</a>|0D 0A|"; http_header; content:!".<a href="http://blackberry.com" target="_blank">blackberry.com</a>|0D 0A|"; http_header; content:!" Shockwave Flash"; http_header; content:"Content-Length|3A 20|"; content:!"0"; http_header; within:1; pcre:"/\x2F$/U"; pcre:"/Content-Length\x3A\x20\d{1,3}\x0D\x0A/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1923996; rev:1;)<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"MALWARE-CNC HTTP POST With No Referer And URI Terminating On Question Mark"; flow:established,to_server; content:"POST"; http_method; urilen:&gt;2; content:!"ocsp"; http_header; content:!"/api/"; http_uri; content:"? HTTP/1."; fast_pattern; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; content:!"<a href="http://avast.com" target="_blank">avast.com</a>"; http_header; content:!".<a href="http://google.com" target="_blank">google.com</a>"; http_header; content:!".<a href="http://amazonaws.com" target="_blank">amazonaws.com</a>|0D 0A|"; http_header; content:!".<a href="http://macromedia.com" target="_blank">macromedia.com</a>|0D 0A|"; http_header; content:!"<a href="http://microsoft.com" target="_blank">microsoft.com</a>|0D 0A|"; http_header; content:!".<a href="http://blackberry.com" target="_blank">blackberry.com</a>|0D 0A|"; http_header; content:!" Shockwave Flash"; http_header; content:"Content-Length|3A 20|"; content:!"0"; http_header; within:1; pcre:"/\x3F$/U"; pcre:"/Content-Length\x3A\x20\d{1,3}\x0D\x0A/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1323997; rev:1;)<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET !80 (msg:"MALWARE-CNC HTTP POST With No Referer To IP On Off HTTP&nbsp; Port"; flow:established,to_server; content:"POST"; http_method; content:!"/api/"; http_uri; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; content:!"ocsp"; http_header; content:!".<a href="http://google.com" target="_blank">google.com</a>|0D 0A|"; http_header; content:!"<a href="http://avast.com" target="_blank">avast.com</a>"; http_header; content:!".<a href="http://amazonaws.com" target="_blank">amazonaws.com</a>|0D 0A|"; http_header; content:!".<a href="http://macromedia.com" target="_blank">macromedia.com</a>|0D 0A|"; http_header; content:!"<a href="http://microsoft.com" target="_blank">microsoft.com</a>|0D 0A|"; http_header; content:!".<a href="http://blackberry.com" target="_blank">blackberry.com</a>|0D 0A|"; http_header; content:!" Shockwave Flash"; http_header; content:"Host|3A 20|"; http_header; content:"|2E|"; http_header; distance:1; within:3; content:"|2E|"; http_header; distance:1;&nbsp; within:3;content:"|2E|"; http_header; distance:1; within:3; content:"|3A|"; http_header; distance:1;&nbsp; within:3; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{1,5}\x0D\x0A/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1323998; rev:1;)<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"MALWARE-CNC POST With No Referer With URI Made Up Of Hex Characters"; flow:established,to_server; urilen:&gt;11; content:"POST"; http_method; content:!"|2E|"; http_uri; content:!"?"; http_uri; content:!"ocsp"; http_header; content:!"<a href="http://avast.com" target="_blank">avast.com</a>"; http_header; content:!"Referer|3A|"; http_header; pcre:"/^\x2F[A-F0-9\x2F]{12,400}$/Ui; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1424001; rev:1;)<br>

alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"MALWARE-CNC POST With No Referer And NSIS User-Agent"; flow:established,to_server; content:"POST"; http_method; content:"NSIS"; http_header; fast_pattern; content:!"Referer"; http_header; pcre:"/User\x2DAgent\x3A\x20[^\r\n]*NSIS/H"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1424002; rev:1;)<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"MALWARE-CNC POST with No Referer And Base64 Encoded Data"; flow:established,to_server; content:"POST"; fast_pattern; http_method; content:"Content-Length|3A 20|"; http_header; content:"|0D 0A|"; http_header; distance:1; within:4; content:!"Referer|3A|"; http_header; content:!"ocsp"; http_header; content:!"<a href="http://avast.com" target="_blank">avast.com</a>"; content:"|0D 0A 0D 0A|"; isdataat:4,relative; pcre:"/\x0D\x0A\x0D\x0A(?:[a-z0-9+/]{4})*(?:[a-z0-9+/]{2}==|[a-z0-9+/]{3}=)?$/smi"; flowbits:set,cncbeacon; flowbits:noalert; classtype:trojan-activity; sid:1424004; rev:1;)<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET !80 (msg:"MALWARE-CNC POST Off HTTP PORT With Uncommon TLD"; flow:established,to_server; content:"POST"; http_method; content:!".uk"; http_header; content:!"ocsp"; http_header; content:!".gov"; http_header; content:!".org"; http_header; content:!".com"; http_header; content:"nhs"; http_header; pcre:"/Host\x3A\x20[^\r\n]\x2E[a-z]{2,4}\x3A\d{2,5}\x0D\x0A/H"; classtype:trojan-activity; flowbits:set,cncbeacon; flowbits:noalert; sid:1424006; rev:1;)<br><br># alert on likely CNC Beacon requests ignoring FP countries<br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"MALWARE-CNC Potential Malware CnC Beaconing Activity"; flow:established,to_server; flowbits:isset,cncbeacon; geoip:dst,!US,GB,IE,EU; classtype:trojan-activity; sid:1425000; rev:1;)<br><br>
</div></div>
</blockquote>
</div>
<br>
</div>
</div>
Francis Trudeau | 30 Jul 23:47 2014
Picon

Daily Ruleset Update Summary 07/30/2014

 [***] Summary: [***]

 48 new Open signatures,  55 new Pro (48 + 7).  Sitelutions
DYNAMIC_DNS detection, EZpass phish, Various Android.

 Thanks:   <at> MalwareMustDie,  <at> jaimeblascob, Balasubramaniam Natarajan, ABUSE.CH

 Open:

  2018807 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (ZeuS MITM) (trojan.rules)
  2018808 - ET TROJAN DoS.Linux/Elknot.G Checkin (trojan.rules)
  2018809 - ET INFO DYNAMIC_DNS HTTP Request to *.passinggas.net
Domain (Sitelutions) (info.rules)
  2018810 - ET INFO DYNAMIC_DNS Query to *.passinggas.net Domain
(Sitelutions) (info.rules)
  2018811 - ET INFO DYNAMIC_DNS HTTP Request to *.myredirect.us Domain
(Sitelutions) (info.rules)
  2018812 - ET INFO DYNAMIC_DNS Query to *.myredirect.us Domain
(Sitelutions) (info.rules)
  2018813 - ET INFO DYNAMIC_DNS HTTP Request to *.rr.nu Domain
(Sitelutions) (info.rules)
  2018814 - ET INFO DYNAMIC_DNS Query to *.rr.nu Domain (Sitelutions)
(info.rules)
  2018815 - ET INFO DYNAMIC_DNS HTTP Request to *.kwik.to Domain
(Sitelutions) (info.rules)
  2018816 - ET INFO DYNAMIC_DNS Query to *.kwik.to Domain
(Sitelutions) (info.rules)
  2018817 - ET INFO DYNAMIC_DNS HTTP Request to *.myfw.us Domain
(Sitelutions) (info.rules)
  2018818 - ET INFO DYNAMIC_DNS Query to *.myfw.us Domain
(Sitelutions) (info.rules)
  2018819 - ET INFO DYNAMIC_DNS HTTP Request to *.ontheweb.nu Domain
(Sitelutions) (info.rules)
  2018820 - ET INFO DYNAMIC_DNS Query to *ontheweb.nu Domain
(Sitelutions) (info.rules)
  2018821 - ET INFO DYNAMIC_DNS HTTP Request to *.isthebe.st Domain
(Sitelutions) (info.rules)
  2018822 - ET INFO DYNAMIC_DNS Query to *isthebe.st Domain
(Sitelutions) (info.rules)
  2018823 - ET INFO DYNAMIC_DNS HTTP Request to *.byinter.net Domain
(Sitelutions) (info.rules)
  2018824 - ET INFO DYNAMIC_DNS Query to *byinter.net Domain
(Sitelutions) (info.rules)
  2018825 - ET INFO DYNAMIC_DNS HTTP Request to *.findhere.org Domain
(Sitelutions) (info.rules)
  2018826 - ET INFO DYNAMIC_DNS Query to *findhere.org Domain
(Sitelutions) (info.rules)
  2018827 - ET INFO DYNAMIC_DNS HTTP Request to *.onthenetas.com
Domain (Sitelutions) (info.rules)
  2018828 - ET INFO DYNAMIC_DNS Query to *onthenetas.com Domain
(Sitelutions) (info.rules)
  2018829 - ET INFO DYNAMIC_DNS HTTP Request to *.uglyas.com Domain
(Sitelutions) (info.rules)
  2018830 - ET INFO DYNAMIC_DNS Query to *uglyas.com Domain
(Sitelutions) (info.rules)
  2018831 - ET INFO DYNAMIC_DNS HTTP Request to *.assexyas.com Domain
(Sitelutions) (info.rules)
  2018832 - ET INFO DYNAMIC_DNS Query to *assexyas.com Domain
(Sitelutions) (info.rules)
  2018833 - ET INFO DYNAMIC_DNS HTTP Request to *.passas.us Domain
(Sitelutions) (info.rules)
  2018834 - ET INFO DYNAMIC_DNS Query to *passas.us Domain
(Sitelutions) (info.rules)
  2018835 - ET INFO DYNAMIC_DNS HTTP Request to *.athissite.com Domain
(Sitelutions) (info.rules)
  2018836 - ET INFO DYNAMIC_DNS Query to *atthissite.com Domain
(Sitelutions) (info.rules)
  2018837 - ET INFO DYNAMIC_DNS HTTP Request to *.athersite.com Domain
(Sitelutions) (info.rules)
  2018838 - ET INFO DYNAMIC_DNS Query to *athersite.com Domain
(Sitelutions) (info.rules)
  2018839 - ET INFO DYNAMIC_DNS HTTP Request to *.isgre.at Domain
(Sitelutions) (info.rules)
  2018840 - ET INFO DYNAMIC_DNS Query to *isgre.at Domain
(Sitelutions) (info.rules)
  2018841 - ET INFO DYNAMIC_DNS HTTP Request to *.lookin.at Domain
(Sitelutions) (info.rules)
  2018842 - ET INFO DYNAMIC_DNS Query to *lookin.at Domain
(Sitelutions) (info.rules)
  2018843 - ET INFO DYNAMIC_DNS HTTP Request to *.bestdeals.at Domain
(Sitelutions) (info.rules)
  2018844 - ET INFO DYNAMIC_DNS Query to *bestdeals.at Domain
(Sitelutions) (info.rules)
  2018845 - ET INFO DYNAMIC_DNS HTTP Request to *.lowestprices.at
Domain (Sitelutions) (info.rules)
  2018846 - ET INFO DYNAMIC_DNS Query to *lowestprices Domain
(Sitelutions) (info.rules)
  2018847 - ET INFO DYNAMIC_DNS HTTP Request to *.passinggas.net
Domain (Sitelutions) (info.rules)
  2018848 - ET INFO DYNAMIC_DNS Query to *.passinggas.net Domain
(Sitelutions) (info.rules)
  2018849 - ET CURRENT_EVENTS Possible Upatre SSL Cert
www.senorwooly.com (current_events.rules)
  2018850 - ET CURRENT_EVENTS Possible Upatre SSL Cert ns2.sicher.in
(current_events.rules)
  2018851 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2018852 - ET TROJAN Malicious SSL Cert (KINS C2) (trojan.rules)
  2018853 - ET CURRENT_EVENTS Possible Phishing E-ZPass Email Toll
Notification July 30 2014 (current_events.rules)
  2018855 - ET TROJAN Possible ClickFraud Trojan Socks5 Connection
(trojan.rules)

 Pro:

  2808472 - ETPRO TROJAN PWS-Banker!dg Callback (trojan.rules)
  2808473 - ETPRO MOBILE_MALWARE Android/SmsSend.EI Checkin
(mobile_malware.rules)
  2808474 - ETPRO P2P P2PShare Client Installed Checkin (p2p.rules)
  2808475 - ETPRO TROJAN Win32/Reveton.gen!C Checkin (trojan.rules)
  2808476 - ETPRO MALWARE Win32/Unruy Variant Checkin (malware.rules)
  2808477 - ETPRO MOBILE_MALWARE Android.Trojan.Portal.A Checkin
(mobile_malware.rules)
  2808478 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.AK Checkin
(mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2018786 - ET CURRENT_EVENTS Sweet Orange EK CDN Landing Page
(current_events.rules)
  2018799 - ET TROJAN Win32/Gatak Activity (trojan.rules)
  2804419 - ETPRO MALWARE Riskware.Win32.SoftonicDownloader.AMN!A2
Install (malware.rules)
  2807775 - ETPRO TROJAN Win32/Injector.gen!ER Checkin (trojan.rules)
  2808313 - ETPRO TROJAN Win32.Tavex.A Checkin 2 (trojan.rules)
  2808314 - ETPRO TROJAN Win32.Tavex.A Checkin 1 (trojan.rules)
  2808375 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.RZ Checkin
(mobile_malware.rules)

 [---]         Removed rules:         [---]

  2808422 - ETPRO TROJAN Win32/Caphaw.A SSL Cert Serial (trojan.rules)
Will Metcalf | 30 Jul 17:02 2014

Does anybody know what this is?

Does anybody know of a protocol/application legit or otherwise that starts with "socks5init:" in the first 11 bytes of the packet talking to server generally in lower 8k port range. I've seen some malware exhibit this behavior but when I went to test this sig in the world I got a lot of hits. This could be a completely legit proto but is new to me. I have hits all over the globe. Any ideas?

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET Unknown Socks5 Connection not socks5"; flow:to_server,established; content:"socks5init|3a|"; depth:11; sid:123131; rev:1; classtype:bad-unknown; reference:md5,2a0e042fdb2d85c2abf8bd35499ee1aa; reference:md5,c4d3db0eadc650372225d0093cd442ba; reference:md5,4c1f7c4f6d00869a6fca9fdcbadc9633; threshold: type limit, track by_src, count 1, seconds 120;)

Regards,

Will
<div><div dir="ltr">
<div>Does anybody know of a protocol/application legit or otherwise that starts with "socks5init:" in the first 11 bytes of the packet talking to server generally in lower 8k port range. I've seen some malware exhibit this behavior but when I went to test this sig in the world I got a lot of hits. This could be a completely legit proto but is new to me. I have hits all over the globe. Any ideas?<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET Unknown Socks5 Connection not socks5"; flow:to_server,established; content:"socks5init|3a|"; depth:11; sid:123131; rev:1; classtype:bad-unknown; reference:md5,2a0e042fdb2d85c2abf8bd35499ee1aa; reference:md5,c4d3db0eadc650372225d0093cd442ba; reference:md5,4c1f7c4f6d00869a6fca9fdcbadc9633; threshold: type limit, track by_src, count 1, seconds 120;)<br><br>
</div>Regards,<br><br>Will<br>
</div></div>
Leonard Jacobs | 30 Jul 04:58 2014

sid:2101616 not dropping in Suricata

I have SID 2101616 set to Drop in Suricata but it will not drop. What could be causing this?

 

Thanks.

 

Leonard

 

 

 

<div><div class="WordSection1">
<p class="MsoNormal">I have SID 2101616 set to Drop in Suricata but it will not drop. What could be causing this?<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">Thanks.<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><span>Leonard <p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
</div></div>
Francis Trudeau | 30 Jul 03:11 2014
Picon

Daily Ruleset Update Summary 07/29/2014

 [***] Summary: [***]

 7 new Pro signatures, 18 new Pro (7+11).  Upatre, Various AndroidOS,
Password Stealer.

 Thanks:  Kevin Ross.

 [+++]          Added rules:          [+++]

 Open:

  2018800 - ET SCAN Chroot-apache0day Unknown Web Scanner User Agent
(scan.rules)
  2018801 - ET CURRENT_EVENTS Possible Upatre SSL Cert disenart.info
(current_events.rules)
  2018802 - ET CURRENT_EVENTS Possible Upatre SSL Cert host-galaxy.com
(current_events.rules)
  2018803 - ET CURRENT_EVENTS Possible Upatre SSL Cert
fxbingpanel.fareexchange.co.uk (current_events.rules)
  2018804 - ET CURRENT_EVENTS Possible Upatre SSL Cert
66h.66hosting.net (current_events.rules)
  2018805 - ET CURRENT_EVENTS Possible Upatre SSL Cert
businesswebstudios.com (current_events.rules)
  2018806 - ET CURRENT_EVENTS Possible Upatre SSL Cert
udderperfection.com (current_events.rules)

 Pro:

  2808461 - ETPRO MALWARE Win32/BrowseFox.H Checkin 2 (malware.rules)
  2808462 - ETPRO MOBILE_MALWARE AndroidOS/GinMaster.AR Checkin
(mobile_malware.rules)
  2808463 - ETPRO TROJAN Win32/Viknok.D Checkin 1 (trojan.rules)
  2808464 - ETPRO TROJAN Win32/Viknok.D Checkin 2 (trojan.rules)
  2808465 - ETPRO TROJAN Password Stealer MSIL/VOJIN.A Sending Stolen
Info (trojan.rules)
  2808466 - ETPRO MOBILE_MALWARE AndroidOS/FakePlayer.A Checkin
(mobile_malware.rules)
  2808467 - ETPRO MOBILE_MALWARE Android/SMForw.BV Checkin
(mobile_malware.rules)
  2808468 - ETPRO TROJAN Worm MSIL/Vonriamt.A Checkin 1 (trojan.rules)
  2808469 - ETPRO TROJAN Worm MSIL/Vonriamt.A Checkin 2 (trojan.rules)
  2808470 - ETPRO TROJAN Password Stealer MSIL/Vonriamt.A Checkin 3
(trojan.rules)
  2808471 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.a
Checkin 3 (mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2018785 - ET CURRENT_EVENTS Possible ShellCode Passed as Argument to
FlashVars (current_events.rules)
  2807692 - ETPRO TROJAN Trojan.Banker.ACF Checkin (trojan.rules)
Hendrik Adrian | 29 Jul 17:16 2014

(no subject)

Hello Will, Matt,
Cc: all

A sophisticated made DDoS elf botnet tool detected, suggesting bruters component.

There is nothing much of the callback pcap except the PUSH ACK packet contains CNC communication, no headers. The investigation is on going.

Please see the attached image file, with kindly advice if there's anything can be done in ET for blocking this communication, if there is not applied yet.
But I think generic alert is being generated for this communication already, yes? 

I was stripping pcap but the are too many privacy attached..I still don't think I can share it..very sorry,

Sincerely

Rick
MalwareMustDie.org
<div>
<div>Hello Will, Matt,</div>
<div>Cc: all</div>
<div><br></div>A sophisticated made&nbsp;DDoS elf&nbsp;botnet&nbsp;tool detected, suggesting bruters component.<div>Verdict is in Virus Total comment I wrote: &nbsp;<a href="https://www.virustotal.com/en/file/92c87b7bddb66de8a5a27d944b5d4b46c59b38047b8a5fc381118c615c3775f9/analysis/">https://www.virustotal.com/en/file/92c87b7bddb66de8a5a27d944b5d4b46c59b38047b8a5fc381118c615c3775f9/analysis/</a>
</div>
<div><br></div>
<div>There is nothing much of the callback&nbsp;pcap except the PUSH ACK packet contains CNC&nbsp;communication, no headers. The investigation is on going.</div>
<div><br></div>
<div>Please see the attached image file, with&nbsp;kindly advice if there's anything can be done in ET for blocking this communication, if there is not applied yet.</div>
<div>But&nbsp;I think generic alert is being&nbsp;generated for this communication already, yes?&nbsp;</div>
<div><br></div>
<div>I was&nbsp;stripping pcap but&nbsp;the are&nbsp;too many privacy attached..I still don't think I can share it..very sorry,</div>
<div><br></div>
<div>Sincerely</div>
<div><br></div>
<div>Rick</div>MalwareMustDie.org
</div>
Kevin Ross | 29 Jul 11:34 2014

SIG: ET SCAN Chroot-apache0day Unknown Web Scanner User Agent

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCAN Chroot-apache0day Unknown Web Scanner User Agent"; flow:established,to_server; content:"User-agent|3A| chroot-apach0day"; http_header; fast_pattern:12,16; classtype:attempted-recon; reference:url,isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day+/18453; sid:1239991; rev:1;)

Kind Regards,
Kevin Ross
<div><div dir="ltr">alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET SCAN 
Chroot-apache0day Unknown Web Scanner User Agent"; 
flow:established,to_server; content:"User-agent|3A| chroot-apach0day"; 
http_header; fast_pattern:12,16; classtype:attempted-recon; 
reference:url,<a href="http://isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day+/18453">isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day+/18453</a>;
 sid:1239991; rev:1;)<br><br>Kind Regards,<br>Kevin Ross</div></div>
Francis Trudeau | 29 Jul 00:12 2014
Picon

Daily Ruleset Update Summary 07/28/2014

 [***] Summary: [***]

 12 new Open signatures, 26 new Pro (12+14).  FlashPack EK, Omeka 2.2
CSRF, Upatre, Various Android.

 Thanks:   <at> EKWatcher, vlintelligence,  <at> abuse_ch

 [+++]          Added rules:          [+++]

 Open:

  2018788 - ET TROJAN Possible CryptoWall encrypted download (trojan.rules)
  2018789 - ET POLICY TLS possible TOR SSL traffic (policy.rules)
  2018790 - ET CURRENT_EVENTS Possible Upatre SSL Cert
server.abaphome.net (current_events.rules)
  2018791 - ET CURRENT_EVENTS Possible Upatre SSL Cert 1stopmall.us
(current_events.rules)
  2018792 - ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin
(mobile_malware.rules)
  2018793 - ET TROJAN EUPUDS.A Requests for Boleto replacement  (trojan.rules)
  2018794 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary
Landing June 28 2014 (current_events.rules)
  2018795 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect IE
Exploit (current_events.rules)
  2018796 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect
Java Exploit (current_events.rules)
  2018797 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect
Flash Exploit (current_events.rules)
  2018798 - ET TROJAN Infostealer.KLPROXY Checkin via SMTP (trojan.rules)
  2018799 - ET TROJAN Win32/Gatak Activity (trojan.rules)

 Pro:

  2808447 - ETPRO MOBILE_MALWARE Android/SMSreg.CL Checkin
(mobile_malware.rules)
  2808448 - ETPRO TROJAN Carberp/Rovnix Proxy Connection (trojan.rules)
  2808449 - ETPRO TROJAN Win32/Lmir.BMR Checkin (trojan.rules)
  2808450 - ETPRO TROJAN REVETON CnC SET (trojan.rules)
  2808451 - ETPRO TROJAN REVETON CnC OUTBOUND (trojan.rules)
  2808452 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Faketoken.a
Checkin 2 (mobile_malware.rules)
  2808453 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a
Checkin 6 (mobile_malware.rules)
  2808454 - ETPRO MOBILE_MALWARE Android/SMForw.CB Checkin
(mobile_malware.rules)
  2808455 - ETPRO MALWARE PUP Win32/Toolbar.Conduit Checkin 2 (malware.rules)
  2808456 - ETPRO MOBILE_MALWARE Android/Spy.GoldDream.C Checkin
(mobile_malware.rules)
  2808457 - ETPRO EXPLOIT Kolibri WebServer 2.0 Get Request SEH
Exploit (exploit.rules)
  2808458 - ETPRO EXPLOIT Omeka 2.2 CSRF Add Super User (exploit.rules)
  2808459 - ETPRO EXPLOIT Omeka 2.2 CSRF Add Persistent XSS (exploit.rules)
  2808460 - ETPRO EXPLOIT Omeka 2.2 CSRF Disable Fie Validation (exploit.rules)

 [///]     Modified active rules:     [///]

  2002400 - ET USER_AGENTS Suspicious User Agent (Microsoft Internet
Explorer) (user_agents.rules)
  2013508 - ET TROJAN Downloader User-Agent HTTPGET (trojan.rules)
  2018745 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS C2) (trojan.rules)
  2807276 - ETPRO MALWARE Adware/GetFaster Checkin (malware.rules)

 [---]         Removed rules:         [---]

  2808428 - ETPRO TROJAN Win32/Rhubot.A Checkin (trojan.rules)
Darren Spruell | 26 Jul 08:21 2014
Picon

PF block rules and stateful filtering

Apologies if already raised or if I'm found to be a lunatic afterward
(emailing late on a Friday never recommended).

http://rules.emergingthreats.net/fwrules/emerging-PF-CC.rules

block in log (all) quick on $ext_if from <ET> to any

This is the rule used in all emerging-PF-*.rules files.

As written, the PF rule will block inbound connections from Internet C&C
servers into your environment. Since PF rules are implicitly stateful,
this would not apply to connections established out _to_ C&C servers
which limits its usefulness. :)

http://rules.emergingthreats.net/fwrules/emerging-PF-DROP.rules

Same story, although denying inbound connections from DROP hosts is
valuable. Probably still want to drop connections to them as well.

Also, the addresses on this one look to be missing the CIDR mask (IPs
all ending in .0).

http://rules.emergingthreats.net/fwrules/emerging-PF-DSHIELD.rules

The addresses on this one look to be missing the CIDR mask too.

I propose a small modification to the rule in each file to the following
pair:

block log quick from <ET> to any
block log quick from any to <ET>

Removes the dependency on the definition of the interface macro, and the
explicit direction on the interface, making it so it will drop traffic
going any direction on any interface. The 'from' and 'to' are still
required though so that imposes some directionality and requires two
rules for blocking out to or in from listed hosts.

The above can also be written more succinctly but with somewhat less
clarity:

block log quick from <ET>
block log quick to <ET>

In either case the rules parse in modern versions of PF and expand as
follows when loaded:

 <at> 0 block drop log (all) quick from <ET:0> to any
 <at> 1 block drop log (all) quick from any to <ET:0>

They should probably be tested on less modern version of PF (FreeBSD and
OS X both run significantly behind OpenBSD's PF) if desired.

--

-- 
Darren Spruell
dspruell@...

Gmane