Russell Fulton | 25 Oct 21:00 2014
Picon
Picon

weird capture from ET CURRENT_EVENTS Angler EK Oct 22 2014 -- 2019488

I assume this is an actual exploit in progress.  Never seen anything quite this elaborate before…

All packets are exactly 1500 long — including the last in each session.

HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Fri, 24 Oct 2014 23:28:10 GMT
Content-Type: text/html
Content-Length: 110212
Connection: keep-alive
Cache-Control: no-cache, must-revalidate, max-age=1
Expires: Sat, 26 Jul 2014 05:00:00 GMT
Last-Modified: Sat, 26 Jul 2040 05:00:00 GMT
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" dir="ltr">
<head>
<meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" >
<title>
weaken her sister's behaviour. He heard her mentioned; except Mrs.
</title>
</head>
<body>
<ol>. invented this trick for getting her to observe the studied attentions with which I have the smallest
fear of as. <strong>.   and. </strong>.</ol>.<button>. <hl>.

two more packets with more pseudo prose and then

hip hand of you." "To be sure," said she, 'I might thought.  </strong>.  <input>.    In Bond Street 
(Continue reading)

Francis Trudeau | 24 Oct 23:15 2014
Picon

Daily Ruleset Update Summary 10/24/2014

 [***] Summary: [***]

 9 new Open signatures, 15 new Pro (9+6).  Vawtrak/NeverQuest,
BlackEnergy, DroidKungFu.

 Thanks:  Eoin Miller

 [+++]          Added rules:          [+++]

 Open:

  2019499 - ET TROJAN Vawtrak/NeverQuest Server Response (trojan.rules)
  2019500 - ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
  2019501 - ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
  2019502 - ET TROJAN Wonton-JH Checkin (trojan.rules)
  2019503 - ET CURRENT_EVENTS SSL SinkHole Cert Possible Infected Host
(current_events.rules)
  2019504 - ET TROJAN BlackEnergy SSL Cert (trojan.rules)
  2019505 - ET TROJAN BlackEnergy SSL Cert (trojan.rules)
  2019506 - ET CURRENT_EVENTS Possible Upatre SSL Cert Oct 24 2014
(current_events.rules)
  2019507 - ET CURRENT_EVENTS Possible Upatre SSL Cert
www.tradeledstore.co.uk (current_events.rules)

 Pro:

  2809063 - ETPRO MOBILE_MALWARE DroidKungFu Checkin 5 (mobile_malware.rules)
  2809064 - ETPRO MOBILE_MALWARE DroidKungFu Checkin 6 (mobile_malware.rules)
  2809065 - ETPRO TROJAN Backdoor.Kivars Checkin (trojan.rules)
  2809066 - ETPRO TROJAN Backdoor.Tepmim Checkin (trojan.rules)
(Continue reading)

Russell Fulton | 24 Oct 20:45 2014
Picon
Picon

likely FP: ET CURRENT_EVENTS food.com compromise hostile JavaScript gate 2018505

Server IP matches Host:

GET /ql.html?0.2587664327584207 HTTP/1.1
Host: researchcompliance.iu.edu
Connection: keep-alive
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/38.0.2125.104 Safari/537.36
Referer: http://researchcompliance.iu.edu/coi/index.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: X-Mapping-gbooldlg=39AA8C8BB7C365975CC1F4A95F509E80;
_ga=GA1.2.1356153155.1414092160; _gat=1
waldo kitty | 24 Oct 11:07 2014
X-Face
Picon

nmap.org and SID:2011921


it seems that nmap.org is triggering SID:2011921 ET TROJAN FAKEAV CryptMEN - 
Landing Page Download Contains .hdd_icon...

looking at the rule, it simply looks for ".hdd_icon" in the traffic flow... 
perhaps there's a way to tighten this rule?

here's the packet data captured by snort and as seen by wireshark... the alert 
is triggered starting at offset 02d4...

0000   00 00 02 00 00 00 6e b7 10 00 00 00 10 00 08 00  ......n.........
0010   45 00 05 ac 4a 7d 40 00 34 06 bb e1 ad ff f3 bd  E...J} <at> .4.......
0020   47 1e 52 12 00 50 cd aa 0d ca 28 9b 8c f1 bc 8f  G.R..P....(.....
0030   50 10 00 ed b0 ff 00 00 52 52 45 4e 54 5f 45 56  P.......RRENT_EV
0040   45 4e 54 53 20 46 41 4b 45 41 56 20 63 6c 69 65  ENTS FAKEAV clie
0050   6e 74 20 72 65 71 75 65 73 74 69 6e 67 20 66 61  nt requesting fa
0060   6b 65 20 73 63 61 6e 6e 65 72 20 70 61 67 65 0a  ke scanner page.
0070   31 3a 31 37 35 32 30 20 20 20 20 20 20 20 20 20  1:17520
0080   20 20 20 23 20 23 20 45 58 50 4c 4f 49 54 20 43     # # EXPLOIT C
0090   41 20 41 52 43 73 65 72 76 65 20 42 61 63 6b 75  A ARCserve Backu
00a0   70 20 44 42 20 45 6e 67 69 6e 65 20 44 65 6e 69  p DB Engine Deni
00b0   61 6c 20 6f 66 20 53 65 72 76 69 63 65 0a 31 3a  al of Service.1:
00c0   32 30 30 37 39 36 34 20 20 20 20 20 20 20 20 20  2007964
00d0   20 23 20 23 20 45 54 20 54 52 4f 4a 41 4e 20 56   # # ET TROJAN V
00e0   69 70 64 61 74 61 65 6e 64 20 43 26 61 6d 70 3b  ipdataend C&amp;
00f0   43 20 54 72 61 66 66 69 63 20 2d 20 53 65 72 76  C Traffic - Serv
0100   65 72 20 53 74 61 74 75 73 20 4f 4b 0a 31 3a 32  er Status OK.1:2
0110   30 31 31 33 37 34 20 20 20 20 20 20 20 20 20 20  011374
0120   23 20 23 20 45 54 20 43 55 52 52 45 4e 54 5f 45  # # ET CURRENT_E
0130   56 45 4e 54 53 20 48 54 54 50 20 63 6f 6e 74 61  VENTS HTTP conta
(Continue reading)

Randal T. Rioux | 24 Oct 06:01 2014

Splunk Binary Detected as Trojan?

Haven't tested it, but had a report from someone that this rule fires
when downloading the Splunk binary from splunk.com (not sure which one -
thought I'd check first here):

ET TROJAN PECompact2 Packed Binary - Likely Hostile

Any verification?

Thanks!
Francis Trudeau | 23 Oct 23:35 2014
Picon

Daily Ruleset Update Summary 10/23/2014

 [***] Summary: [***]

 2 new Open signatures, 16 new Pro.  Various Android, Incredible PBX
RCE, Spider Keylogger.

 Thanks:  Kevin Ross and tdzmont.

 [+++]          Added rules:          [+++]

  2019497 - ET CURRENT_EVENTS Nuclear EK Gate Injected iframe Oct 22
2014 (current_events.rules)
  2019498 - ET TROJAN W32/24x7Help.ScareWare CnC Beacon (trojan.rules)

  Pro:

  2809049 - ETPRO MOBILE_MALWARE Android.Trojan.FakeBank.G Checkin
(mobile_malware.rules)
  2809050 - ETPRO MOBILE_MALWARE Monitoring-Tool Android/CellSpy.B
Checkin (mobile_malware.rules)
  2809051 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.cd
Checkin (mobile_malware.rules)
  2809052 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ep
Checkin (mobile_malware.rules)
  2809053 - ETPRO MOBILE_MALWARE Android/Rlove.A Checkin (mobile_malware.rules)
  2809054 - ETPRO EXPLOIT Incredible PBX RCE Attempt (exploit.rules)
  2809055 - ETPRO MOBILE_MALWARE Checkin to Rogue App Host
(mobile_malware.rules)
  2809056 - ETPRO MALWARE PUP BubbleDock.A Checkin (malware.rules)
  2809057 - ETPRO POLICY IP Check thinklabs-ltd.de (policy.rules)
  2809058 - ETPRO POLICY IP Check 2ip.ru (policy.rules)
(Continue reading)

waldo kitty | 23 Oct 20:29 2014
X-Face
Picon

understanding SID:2019102


i'm trying to understand what the appearance of alerts from SID:2019102 are 
indicating... are they indicating that someone is attempting to use my system to 
send packets back to the apparent originator or that the apparent originator is 
attempting to DRDoS my IP?

if these are like the DNS amplification attack, blocking to/from the apparent 
originator won't help will it?

off-list responses are ok... if the response is generic, it would be good to 
post it to the list for others who may also be trying to understand these alerts...

thanks!

--

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.
rmkml | 23 Oct 17:46 2014
Picon

Offered new sig for detecting SPAM Subject Invoice with pptx attachment

Hello,

I am offer a new sig for detecting SPAM campaign Subject Invoice with pptx attachment.

Comments / Feedback are welcome ;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $SMTP_PORTS (msg:"SMTP Inbound SPAM Subject: Invoice with
Powerpoint (pptx) attachment attempt"; 
flow:to_server,established; content:"Subject\: Invoice #"; content:"filename="; nocase; 
content:".pptx"; nocase; within:50; distance:0; pcre:"/^Subject\: Invoice \#\d+/sm";

reference:url,blog.spiderlabs.com/2014/10/powerpoint-vulnerability-cve-2014-4114-used-in-malicious-spam.html; 
reference:cve,2014-4114; classtype:attempted-user; sid:1; rev:1;)

Don't forget check $EXTERNAL_NET and $SMTP_SERVERS.

Thx you SpiderLabs.com.

Regards
 <at> Rmkml
Kevin Ross | 23 Oct 15:04 2014

SIG: ET TROJAN W32/24x7Help.ScareWare CnC Beacon

Found this in my network. Crashes PC and basically keeps popping up like "call this number for help". Basically resolves back to broadband link in US. I would have classified it as ET MALWARE if it wasn't so aggressive and basically causing visible issue on the end device preventing legitimate use in some tasks.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/24x7Help.ScareWare CnC Beacon"; flow:estalished,to_server; content:"POST"; http_method; content:"/api/client.asmx/SendData"; http_uri; content:"User-Agent|3A| mFramework HTTPGet"; http_header; fast_pattern:12,18; content:"CFG="; http_client_body; depth:4; content:"&Lng="; http_client_body; distance:0; content:"&sinst="; http_client_body; distance:0; classtype:trojan-activity; reference:md5,8d2dec745b9ac380beb2a0ea66427d06; sid:182311; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr"><div>Found this in my network. Crashes PC and basically keeps popping up like "call this number for help". Basically resolves back to broadband link in US. I would have classified it as ET MALWARE if it wasn't so aggressive and basically causing visible issue on the end device preventing legitimate use in some tasks.<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/24x7Help.ScareWare CnC Beacon"; flow:estalished,to_server; content:"POST"; http_method; content:"/api/client.asmx/SendData"; http_uri; content:"User-Agent|3A| mFramework HTTPGet"; http_header; fast_pattern:12,18; content:"CFG="; http_client_body; depth:4; content:"&amp;Lng="; http_client_body; distance:0; content:"&amp;sinst="; http_client_body; distance:0; classtype:trojan-activity; reference:md5,8d2dec745b9ac380beb2a0ea66427d06; sid:182311; rev:1;)<br><br><br>Kind Regards,<br>Kevin Ross<br>
</div></div></div>
Francis Trudeau | 22 Oct 23:35 2014
Picon

Daily Ruleset Update Summary 10/22/2014

 [***] Summary: [***]

 10 new Open signatures.  Dyre SSL, NAT-PMP, Angler EK, FlashPack.

 Thanks:   <at> kafeine

 [+++]          Added rules:          [+++]

  2019487 - ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 22 2014
(current_events.rules)
  2019488 - ET CURRENT_EVENTS Angler EK Oct 22 2014 (current_events.rules)
  2019489 - ET CURRENT_EVENTS Angler EK Landing Oct 22 2014
(current_events.rules)
  2019490 - ET EXPLOIT Possible Malicious NAT-PMP Response to External
Network (exploit.rules)
  2019491 - ET EXPLOIT Possible Malicious NAT-PMP Response Successful
TCP Map to External Network (exploit.rules)
  2019492 - ET EXPLOIT Possible Malicious NAT-PMP Response Successful
UDP Map to External Network (exploit.rules)
  2019493 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014
(current_events.rules)
  2019494 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014
(current_events.rules)
  2019495 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014
(current_events.rules)
  2019496 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014
(current_events.rules)

 [///]     Modified active rules:     [///]

  2804830 - ETPRO TROJAN Win32.Sality.bh Checkin 2 (trojan.rules)
  2808829 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.DO Checkin
(mobile_malware.rules)
Francis Trudeau | 21 Oct 22:38 2014
Picon

Daily Ruleset Update Summary 10/21/2014

 [***] Summary: [***]

 2 new Open signatures, 19 new Pro (2+17).  Cryptowall, Cisco ASA
vulns, Various Android.

 Thanks:  Kevin Ross and  <at> rmkml.

 [+++]          Added rules:          [+++]

 Open:

  2019485 - ET CURRENT_EVENTS Win32/Zbot SSL Cert Oct 21 2014
(current_events.rules)
  2019486 - ET TROJAN Possible IRC Bot Common PRIVMSG Commands (trojan.rules)

 Pro:

  2809030 - ETPRO TROJAN Possibly Malicious DNS TXT Response Contains
URL (trojan.rules)
  2809031 - ETPRO TROJAN Win32.Cryptolocker.cg SSL Cert (trojan.rules)
  2809032 - ETPRO MOBILE_MALWARE Android/LoveTrap.A Checkin 3
(mobile_malware.rules)
  2809033 - ETPRO MALWARE PUP Win32/Bundled.Toolbar.Ask.K Retrieving
Geolocation (malware.rules)
  2809036 - ETPRO EXPLOIT Possible Cisco Standby FailoverExec Exploit
Attempt (exploit.rules)
  2809037 - ETPRO EXPLOIT Possible Cisco Standby ConfigSync Exploit
Attempt (exploit.rules)
  2809038 - ETPRO MALWARE PUP Win32/SpeedingUpMyPC Checkin (malware.rules)
  2809039 - ETPRO WEB_SPECIFIC_APPS Rejetto HttpFileServer RCE Check
(web_specific_apps.rules)
  2809040 - ETPRO TROJAN Win32/Vasdek Checkin (trojan.rules)
  2809041 - ETPRO TROJAN Win32/CoinMiner.SO .exe download (trojan.rules)
  2809042 - ETPRO TROJAN Possible Cryptowall Infection in Windows
Roaming Profile (DECRYPT_INSTRUCTION.HTML unicode) (trojan.rules)
  2809043 - ETPRO TROJAN Possible Cryptowall Infection in Windows
Roaming Profile (DECRYPT_INSTRUCTION.HTML ascii) (trojan.rules)
  2809044 - ETPRO TROJAN Possible Cryptowall Infection in Windows
Roaming Profile (DECRYPT_INSTRUCTION.TXT unicode) (trojan.rules)
  2809045 - ETPRO TROJAN Possible Cryptowall Infection in Windows
Roaming Profile (DECRYPT_INSTRUCTION.HTML ascii) (trojan.rules)
  2809046 - ETPRO TROJAN Possible Cryptowall Infection in Windows
Roaming Profile (DECRYPT_INSTRUCTION.URL unicode) (trojan.rules)
  2809047 - ETPRO TROJAN Possible Cryptowall Infection in Windows
Roaming Profile (DECRYPT_INSTRUCTION.URL ascii) (trojan.rules)
  2809048 - ETPRO MOBILE_MALWARE Android/OpFakeCL.A Checkin
(mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2019471 - ET TROJAN Possible IRCBot.DDOS Common Commands (trojan.rules)
  2019479 - ET CURRENT_EVENTS Job314 EK URI Exploit/Payload Struct
(current_events.rules)

 [---]  Disabled and modified rules:  [---]

  2019417 - ET CURRENT_EVENTS excessive fatal alerts (possible POODLE
attack against client) (current_events.rules)

 [---]         Removed rules:         [---]

  2808587 - ETPRO TROJAN Win32/CoinMiner.SO .exe download (trojan.rules)
  2808706 - ETPRO TROJAN Win32/CoinMiner.SO .exe download 2 (trojan.rules)

Gmane