Francis Trudeau | 27 May 23:32 2016
Picon

Daily Ruleset Update Summary 2016/05/27

 [***] Summary: [***]

 1 new Open signature, 11 new Pro.  ReactorBot, RIG EK, Hawkeye Keylogger, fun, fun, fun, fun.

 [+++]          Added rules:          [+++]

 Open:

  2022841 - ET CURRENT_EVENTS Possible ReactorBot .bin Download (current_events.rules)

 Pro:

  2820374 - ETPRO TROJAN PoisonIvy Keepalive to CnC 388 (trojan.rules)
  2820375 - ETPRO TROJAN PoisonIvy Keepalive to CnC 389 (trojan.rules)
  2820376 - ETPRO TROJAN PoisonIvy Keepalive to CnC 390 (trojan.rules)
  2820377 - ETPRO TROJAN Unknown Loader (dropped by RIG EK) Checkin (trojan.rules)
  2820378 - ETPRO CURRENT_EVENTS Evil Redirector to EK May 27 2016 (current_events.rules)
  2820379 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Guerrilla.g Checkin (mobile_malware.rules)
  2820380 - ETPRO TROJAN APT/ByeByeShell CnC Checkin (trojan.rules)
  2820381 - ETPRO TROJAN Hawkeye Keylogger SMTP Checkin M1 (trojan.rules)
  2820382 - ETPRO TROJAN Hawkeye Keylogger SMTP Checkin M2 (trojan.rules)
  2820383 - ETPRO TROJAN Hawkeye Keylogger SMTP Stolen Credentials (trojan.rules)


 [///]     Modified active rules:     [///]

  2021730 - ET TROJAN Joanap CnC Checkin (trojan.rules)
  2022627 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (trojan.rules)
  2820328 - ETPRO TROJAN PowerShell/Agent.A HTTP CnC Beacon (trojan.rules)


 [---]  Disabled and modified rules:  [---]

  2815781 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Jan 14 (current_events.rules)

<div><div dir="ltr">
<div>&nbsp;[***] Summary: [***]</div>
<div><br></div>
<div>&nbsp;1 new Open signature, 11 new Pro.&nbsp; ReactorBot, RIG EK, Hawkeye Keylogger, fun, fun, fun, fun.</div>
<div><br></div>
<div>&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp;Open:</div>
<div><br></div>
<div>&nbsp; 2022841 - ET CURRENT_EVENTS Possible ReactorBot .bin Download (current_events.rules)</div>
<div><br></div>
<div>&nbsp;Pro:</div>
<div><br></div>
<div>&nbsp; 2820374 - ETPRO TROJAN PoisonIvy Keepalive to CnC 388 (trojan.rules)</div>
<div>&nbsp; 2820375 - ETPRO TROJAN PoisonIvy Keepalive to CnC 389 (trojan.rules)</div>
<div>&nbsp; 2820376 - ETPRO TROJAN PoisonIvy Keepalive to CnC 390 (trojan.rules)</div>
<div>&nbsp; 2820377 - ETPRO TROJAN Unknown Loader (dropped by RIG EK) Checkin (trojan.rules)</div>
<div>&nbsp; 2820378 - ETPRO CURRENT_EVENTS Evil Redirector to EK May 27 2016 (current_events.rules)</div>
<div>&nbsp; 2820379 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Guerrilla.g Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2820380 - ETPRO TROJAN APT/ByeByeShell CnC Checkin (trojan.rules)</div>
<div>&nbsp; 2820381 - ETPRO TROJAN Hawkeye Keylogger SMTP Checkin M1 (trojan.rules)</div>
<div>&nbsp; 2820382 - ETPRO TROJAN Hawkeye Keylogger SMTP Checkin M2 (trojan.rules)</div>
<div>&nbsp; 2820383 - ETPRO TROJAN Hawkeye Keylogger SMTP Stolen Credentials (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2021730 - ET TROJAN Joanap CnC Checkin (trojan.rules)</div>
<div>&nbsp; 2022627 - ET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate detected (Dridex) (trojan.rules)</div>
<div>&nbsp; 2820328 - ETPRO TROJAN PowerShell/Agent.A HTTP CnC Beacon (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[---] &nbsp;Disabled and modified rules: &nbsp;[---]</div>
<div><br></div>
<div>&nbsp; 2815781 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Jan 14 (current_events.rules)</div>
<div><br></div>
</div></div>
Tony Maszeroski | 27 May 18:39 2016

Many FPs on sid:2815781; rev:6

FYI - This rule has FPing for us badly since the last update.

Snort Version 2.9.8.2 GRE (Build 335).

Ping me privately if you need packets.

-tony
Francis Trudeau | 27 May 00:27 2016
Picon

Daily Ruleset Update Summary 2016/05/26

 [***] Summary: [***]

 18 new Pro signatures.  CryptXXX, VARIOUS PHISHING, TorrentLocker.

 [+++]          Added rules:          [+++]

  2820179 - ETPRO TROJAN CryptXXX Possible Payment Page (trojan.rules)
  2820357 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Triada.g Checkin (mobile_malware.rules)
  2820358 - ETPRO TROJAN PoisonIvy Keepalive to CnC 384 (trojan.rules)
  2820359 - ETPRO TROJAN PoisonIvy Keepalive to CnC 385 (trojan.rules)
  2820360 - ETPRO TROJAN PoisonIvy Keepalive to CnC 386 (trojan.rules)
  2820361 - ETPRO TROJAN PoisonIvy Keepalive to CnC 387 (trojan.rules)
  2820362 - ETPRO POLICY External IP Address Check - (useragent.cc) (policy.rules)
  2820363 - ETPRO POLICY External IP Address Check - (ddnss.de) (policy.rules)
  2820364 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish May 26 (current_events.rules)
  2820365 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Tiny.bl Checkin (mobile_malware.rules)
  2820366 - ETPRO TROJAN MSIL/Banker.M Requesting Binary from SQL 2 (trojan.rules)
  2820367 - ETPRO TROJAN Win32/Agiala Checkin (trojan.rules)
  2820368 - ETPRO TROJAN TorrentLocker DNS query to Domain *.blasters.biz (trojan.rules)
  2820369 - ETPRO CURRENT_EVENTS Successful Phish via Wix.com May 26 (current_events.rules)
  2820370 - ETPRO CURRENT_EVENTS Successful Petro Canada Phish May 26 (current_events.rules)
  2820371 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish May 26 (current_events.rules)
  2820372 - ETPRO CURRENT_EVENTS Suspicious Domain - Possible Phishing Redirect May 26 (current_events.rules)
  2820373 - ETPRO CURRENT_EVENTS Successful Paypal Phish May 26 (current_events.rules)


 [///]     Modified active rules:     [///]

  2021871 - ET TROJAN Hawkeye Keylogger SMTP Beacon (trojan.rules)
  2809782 - ETPRO MOBILE_MALWARE Android/AdDisplay.Kuguo.F Checkin (mobile_malware.rules)
  2815781 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Jan 14 (current_events.rules)
  2820159 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Agent.r Checkin (mobile_malware.rules)


 [---]         Removed rules:         [---]

  2820097 - ETPRO TROJAN CryptXXX 2.06 Checkin (trojan.rules)
<div><div dir="ltr">
<div>&nbsp;[***] Summary: [***]</div>
<div><br></div>
<div>&nbsp;18 new Pro signatures.&nbsp; CryptXXX, VARIOUS PHISHING, TorrentLocker.</div>
<div><br></div>
<div>&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp; 2820179 - ETPRO TROJAN CryptXXX Possible Payment Page (trojan.rules)</div>
<div>&nbsp; 2820357 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Triada.g Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2820358 - ETPRO TROJAN PoisonIvy Keepalive to CnC 384 (trojan.rules)</div>
<div>&nbsp; 2820359 - ETPRO TROJAN PoisonIvy Keepalive to CnC 385 (trojan.rules)</div>
<div>&nbsp; 2820360 - ETPRO TROJAN PoisonIvy Keepalive to CnC 386 (trojan.rules)</div>
<div>&nbsp; 2820361 - ETPRO TROJAN PoisonIvy Keepalive to CnC 387 (trojan.rules)</div>
<div>&nbsp; 2820362 - ETPRO POLICY External IP Address Check - (useragent.cc) (policy.rules)</div>
<div>&nbsp; 2820363 - ETPRO POLICY External IP Address Check - (<a href="http://ddnss.de">ddnss.de</a>) (policy.rules)</div>
<div>&nbsp; 2820364 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish May 26 (current_events.rules)</div>
<div>&nbsp; 2820365 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Tiny.bl Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2820366 - ETPRO TROJAN MSIL/Banker.M Requesting Binary from SQL 2 (trojan.rules)</div>
<div>&nbsp; 2820367 - ETPRO TROJAN Win32/Agiala Checkin (trojan.rules)</div>
<div>&nbsp; 2820368 - ETPRO TROJAN TorrentLocker DNS query to Domain *.<a href="http://blasters.biz">blasters.biz</a> (trojan.rules)</div>
<div>&nbsp; 2820369 - ETPRO CURRENT_EVENTS Successful Phish via Wix.com May 26 (current_events.rules)</div>
<div>&nbsp; 2820370 - ETPRO CURRENT_EVENTS Successful Petro Canada Phish May 26 (current_events.rules)</div>
<div>&nbsp; 2820371 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish May 26 (current_events.rules)</div>
<div>&nbsp; 2820372 - ETPRO CURRENT_EVENTS Suspicious Domain - Possible Phishing Redirect May 26 (current_events.rules)</div>
<div>&nbsp; 2820373 - ETPRO CURRENT_EVENTS Successful Paypal Phish May 26 (current_events.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2021871 - ET TROJAN Hawkeye Keylogger SMTP Beacon (trojan.rules)</div>
<div>&nbsp; 2809782 - ETPRO MOBILE_MALWARE Android/AdDisplay.Kuguo.F Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2815781 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Jan 14 (current_events.rules)</div>
<div>&nbsp; 2820159 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Agent.r Checkin (mobile_malware.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[---] &nbsp; &nbsp; &nbsp; &nbsp; Removed rules: &nbsp; &nbsp; &nbsp; &nbsp; [---]</div>
<div><br></div>
<div>&nbsp; 2820097 - ETPRO TROJAN CryptXXX 2.06 Checkin (trojan.rules)</div>
</div></div>
Whitworth, Luke | 25 May 12:58 2016
Picon

False positive on 2003927

Rule is catching some traffic from PS4’s on our network:

 

GET./update/ps4/list/uk/ps4-updatelist.xml.HTTP/1.1

.Host:.fuk01.ps4.update.playstation.net

.User-Agent:.HttpTestWrapperUser.libhttp/3.50.(PlayStation.4)

.Connection:.Keep-Alive

.

.

 

Cheers,

 

Luke

 

<div>
<div class="WordSection1">
<p class="MsoNormal">Rule is catching some traffic from PS4&rsquo;s on our network:<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">GET./update/ps4/list/uk/ps4-updatelist.xml.HTTP/1.1<p></p></p>
<p class="MsoNormal">.Host:.fuk01.ps4.update.playstation.net<p></p></p>
<p class="MsoNormal">.User-Agent:.HttpTestWrapperUser.libhttp/3.50.(PlayStation.4)<p></p></p>
<p class="MsoNormal">.Connection:.Keep-Alive<p></p></p>
<p class="MsoNormal">.<p></p></p>
<p class="MsoNormal">.<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><span>Cheers,<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span>Luke</span><span><p></p></span></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
</div>
</div>
Francis Trudeau | 23 May 23:34 2016
Picon

Daily Ruleset Update Summary 2016/05/23

 [***] Summary: [***]

 15 new Pro signatures.  CVE-2015-1770, Cript 1.0, Neutrino EK.

 Thanks:  Jose Vila.

 [+++]          Added rules:          [+++]

  2820307 - ETPRO WEB_CLIENT Microsoft Rich Text File download with Possible Exploit (CVE-2015-1770) (web_client.rules)
  2820308 - ETPRO CURRENT_EVENTS Neutrino EK Payload May 23 2016 (current_events.rules)
  2820309 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.kx Checkin (mobile_malware.rules)
  2820310 - ETPRO TROJAN PoisonIvy Keepalive to CnC 374 (trojan.rules)
  2820311 - ETPRO TROJAN PoisonIvy Keepalive to CnC 375 (trojan.rules)
  2820312 - ETPRO TROJAN PoisonIvy Keepalive to CnC 376 (trojan.rules)
  2820313 - ETPRO TROJAN Cript 1.0 Ransomware Installed (trojan.rules)
  2820314 - ETPRO TROJAN Cript 1.0 Ransomware Disk Checkin (trojan.rules)
  2820315 - ETPRO TROJAN Cript 1.0 Ransomware File Checkin (trojan.rules)
  2820316 - ETPRO TROJAN MSIL/SNSLocker Ransomware Checkin 1 (trojan.rules)
  2820317 - ETPRO TROJAN MSIL/SNSLocker Ransomware Checkin 2 (trojan.rules)
  2820318 - ETPRO TROJAN Win32.Crypren/Zcrypt Ransomware Checkin (trojan.rules)
  2820319 - ETPRO TROJAN Win32/Bafruz.L Activity (trojan.rules)
  2820320 - ETPRO TROJAN Win32/Nitedrem.E CnC 2 (trojan.rules)
  2820321 - ETPRO TROJAN Cript 1.0 Ransomware Encrypt Job Complete (trojan.rules)


 [///]     Modified active rules:     [///]

  2007695 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (policy.rules)
  2815254 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Dec 06 2015 M2 (current_events.rules)
  2816218 - ETPRO TROJAN Loxes CnC Beacon (trojan.rules)

<div><div dir="ltr">
<div>&nbsp;[***] Summary: [***]</div>
<div><br></div>
<div>&nbsp;15 new Pro signatures.&nbsp; CVE-2015-1770, Cript 1.0, Neutrino EK.</div>
<div><br></div>
<div>&nbsp;Thanks: &nbsp;Jose Vila.</div>
<div><br></div>
<div>&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp; 2820307 - ETPRO WEB_CLIENT Microsoft Rich Text File download with Possible Exploit (CVE-2015-1770) (web_client.rules)</div>
<div>&nbsp; 2820308 - ETPRO CURRENT_EVENTS Neutrino EK Payload May 23 2016 (current_events.rules)</div>
<div>&nbsp; 2820309 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.kx Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2820310 - ETPRO TROJAN PoisonIvy Keepalive to CnC 374 (trojan.rules)</div>
<div>&nbsp; 2820311 - ETPRO TROJAN PoisonIvy Keepalive to CnC 375 (trojan.rules)</div>
<div>&nbsp; 2820312 - ETPRO TROJAN PoisonIvy Keepalive to CnC 376 (trojan.rules)</div>
<div>&nbsp; 2820313 - ETPRO TROJAN Cript 1.0 Ransomware Installed (trojan.rules)</div>
<div>&nbsp; 2820314 - ETPRO TROJAN Cript 1.0 Ransomware Disk Checkin (trojan.rules)</div>
<div>&nbsp; 2820315 - ETPRO TROJAN Cript 1.0 Ransomware File Checkin (trojan.rules)</div>
<div>&nbsp; 2820316 - ETPRO TROJAN MSIL/SNSLocker Ransomware Checkin 1 (trojan.rules)</div>
<div>&nbsp; 2820317 - ETPRO TROJAN MSIL/SNSLocker Ransomware Checkin 2 (trojan.rules)</div>
<div>&nbsp; 2820318 - ETPRO TROJAN Win32.Crypren/Zcrypt Ransomware Checkin (trojan.rules)</div>
<div>&nbsp; 2820319 - ETPRO TROJAN Win32/Bafruz.L Activity (trojan.rules)</div>
<div>&nbsp; 2820320 - ETPRO TROJAN Win32/Nitedrem.E CnC 2 (trojan.rules)</div>
<div>&nbsp; 2820321 - ETPRO TROJAN Cript 1.0 Ransomware Encrypt Job Complete (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2007695 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (policy.rules)</div>
<div>&nbsp; 2815254 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Dec 06 2015 M2 (current_events.rules)</div>
<div>&nbsp; 2816218 - ETPRO TROJAN Loxes CnC Beacon (trojan.rules)</div>
<div><br></div>
</div></div>
Jose Vila | 23 May 14:12 2016
Picon

FP on 2007695

Hi,

I just found that Trend Micro's HouseCall (http://housecall.trendmicro.com/) identifies itself as Windows 98, triggering rule with sid 2007695.

Example payload:
GET /activeupdate/pattern/HCClean_113701.zip HTTP/1.1
Host: housecall-ctp-p.activeupdate.trendmicro.com:80
User-Agent: Mozilla/4.0 (compatible;MSIE 5.0; Windows 98)
Accept: */*
Pragma: No-Cache
Cache-Control: no-store, no-cache
Connection: Close
X-Trend-ActiveUpdate: 2.82.0.1075

Could a negation be placed for this kind of traffic?

For example:
content:!"X-Trend-ActiveUpdate"

Actual rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"Windows 98"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\n]+Windows 98/Hmi"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:19;)

Regards.

Jose Vila.
<div><div dir="ltr"><div>
<div>
<div>
<div><div>
<div>Hi, <br><br>
</div>I just found that Trend Micro's HouseCall (<a href="http://housecall.trendmicro.com/" target="_blank">http://housecall.trendmicro.com/</a>) identifies itself as Windows 98, triggering rule with sid 2007695.<br><br>
</div></div>Example payload:<br>GET /activeupdate/pattern/HCClean_113701.zip HTTP/1.1<br>Host: <a href="http://housecall-ctp-p.activeupdate.trendmicro.com:80" target="_blank">housecall-ctp-p.activeupdate.trendmicro.com:80</a><br>User-Agent: Mozilla/4.0 (compatible;MSIE 5.0; Windows 98)<br>Accept: */*<br>Pragma: No-Cache<br>Cache-Control: no-store, no-cache<br>Connection: Close<br>X-Trend-ActiveUpdate: 2.82.0.1075<br><br>Could a negation be placed for this kind of traffic? <br><br>For example: <br>content:!"X-Trend-ActiveUpdate"<br><br>
</div>
<div>Actual rule:<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"Windows 98"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\n]+Windows 98/Hmi"; reference:url,<a href="http://doc.emergingthreats.net/bin/view/Main/Windows98UA">doc.emergingthreats.net/bin/view/Main/Windows98UA</a>; classtype:policy-violation; sid:2007695; rev:19;) <br>
</div>
<div><br></div>Regards.<br><br>
</div>
<div>Jose Vila.<br>
</div>
</div></div></div>
Francis Trudeau | 20 May 22:47 2016
Picon

Daily Ruleset Update Summary 2016/05/20

 [***] Summary: [***]

 1 new Open signature, 22 new Pro (1 + 21).  Bolek/Kbot, PoisonIvy, SunDown/Xer.

 Thanks:   <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2022833 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC) (trojan.rules)

 Pro:

  2820286 - ETPRO WEB_CLIENT Adobe Flash Uncompressed Possible (CVE-2016-4117) (web_client.rules)
  2820287 - ETPRO MALWARE Win32/Adware.OpenCandy PUP Activity (malware.rules)
  2820288 - ETPRO TROJAN Bolek/Kbot CnC Checkin (trojan.rules)
  2820289 - ETPRO TROJAN Win32/Spy.Banker.ACTW Checkin (trojan.rules)
  2820290 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (android-securityupdate.com) (trojan.rules)
  2820291 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (cibc-clients.com) (trojan.rules)
  2820292 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (cibc-security.com) (trojan.rules)
  2820293 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (knutesecos.com) (trojan.rules)
  2820294 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (mensabuxus.net) (trojan.rules)
  2820295 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (ogrthuvfewfdcfri5euwg.com) (trojan.rules)
  2820296 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (ogrthuvwfdcfri5euwg.com) (trojan.rules)
  2820297 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (rogers-ca.com) (trojan.rules)
  2820298 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (rogers-clients.com) (trojan.rules)
  2820299 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (signin-rogers.com) (trojan.rules)
  2820300 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (signin-tangerine.com) (trojan.rules)
  2820301 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (tangerine-ca.com) (trojan.rules)
  2820302 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (tangerine-can.com) (trojan.rules)
  2820303 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (tangerine-security.com) (trojan.rules)
  2820304 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (tangerine-zone.com) (trojan.rules)
  2820305 - ETPRO TROJAN PoisonIvy Keepalive to CnC 373 (trojan.rules)
  2820306 - ETPRO CURRENT_EVENTS Sundown/Xer EK Ladning May 20 2016 (current_events.rules)


 [///]     Modified active rules:     [///]

  2022627 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (trojan.rules)
  2810083 - ETPRO MOBILE_MALWARE PUP Android/Igexin.C Checkin (mobile_malware.rules)
  2816226 - ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M1 (current_events.rules)
  2816227 - ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M2 (current_events.rules)
  2816228 - ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M3 (current_events.rules)
  2816229 - ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M4 (current_events.rules)
  2816230 - ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M5 (current_events.rules)
  2816231 - ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M6 (current_events.rules)
  2820083 - ETPRO CURRENT_EVENTS CVE-2013-2551 M1 (b641) Observed in Sundown/Xer EK (current_events.rules)
  2820084 - ETPRO CURRENT_EVENTS CVE-2013-2551 M1 (b642) Observed in Sundown/Xer EK (current_events.rules)
  2820085 - ETPRO CURRENT_EVENTS CVE-2013-2551 M1 (b643) Observed in Sundown/Xer EK (current_events.rules)
  2820086 - ETPRO CURRENT_EVENTS CVE-2015-2419 M1 (b641) Observed in Sundown/Xer EK (current_events.rules)
  2820087 - ETPRO CURRENT_EVENTS CVE-2015-2419 M1 (b642) Observed in Sundown/Xer EK (current_events.rules)
  2820088 - ETPRO CURRENT_EVENTS CVE-2015-2419 M1 (b643) Observed in Sundown/Xer EK (current_events.rules)
  2820089 - ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 (b641) (current_events.rules)
  2820090 - ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 (b642) (current_events.rules)
  2820091 - ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 (b642) (current_events.rules)
  2820093 - ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 M2 (b641) (current_events.rules)
  2820094 - ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 M2 (b642) (current_events.rules)
  2820249 - ETPRO TROJAN Observed Malvertising Domain SSL Cert (trojan.rules)

<div><div dir="ltr">
<div>&nbsp;[***] Summary: [***]</div>
<div><br></div>
<div>&nbsp;1 new Open signature, 22 new Pro (1 + 21).&nbsp; Bolek/Kbot, PoisonIvy, SunDown/Xer.</div>
<div><br></div>
<div>&nbsp;Thanks: &nbsp; <at> abuse_ch.</div>
<div><br></div>
<div>&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp;Open:</div>
<div><br></div>
<div>&nbsp; 2022833 - ET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate detected (ZeuS CnC) (trojan.rules)</div>
<div><br></div>
<div>&nbsp;Pro:</div>
<div><br></div>
<div>&nbsp; 2820286 - ETPRO WEB_CLIENT Adobe Flash Uncompressed Possible (CVE-2016-4117) (web_client.rules)</div>
<div>&nbsp; 2820287 - ETPRO MALWARE Win32/Adware.OpenCandy PUP Activity (malware.rules)</div>
<div>&nbsp; 2820288 - ETPRO TROJAN Bolek/Kbot CnC Checkin (trojan.rules)</div>
<div>&nbsp; 2820289 - ETPRO TROJAN Win32/Spy.Banker.ACTW Checkin (trojan.rules)</div>
<div>&nbsp; 2820290 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://android-securityupdate.com">android-securityupdate.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820291 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://cibc-clients.com">cibc-clients.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820292 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://cibc-security.com">cibc-security.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820293 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://knutesecos.com">knutesecos.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820294 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://mensabuxus.net">mensabuxus.net</a>) (trojan.rules)</div>
<div>&nbsp; 2820295 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://ogrthuvfewfdcfri5euwg.com">ogrthuvfewfdcfri5euwg.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820296 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://ogrthuvwfdcfri5euwg.com">ogrthuvwfdcfri5euwg.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820297 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://rogers-ca.com">rogers-ca.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820298 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://rogers-clients.com">rogers-clients.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820299 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://signin-rogers.com">signin-rogers.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820300 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://signin-tangerine.com">signin-tangerine.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820301 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://tangerine-ca.com">tangerine-ca.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820302 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://tangerine-can.com">tangerine-can.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820303 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://tangerine-security.com">tangerine-security.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820304 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (<a href="http://tangerine-zone.com">tangerine-zone.com</a>) (trojan.rules)</div>
<div>&nbsp; 2820305 - ETPRO TROJAN PoisonIvy Keepalive to CnC 373 (trojan.rules)</div>
<div>&nbsp; 2820306 - ETPRO CURRENT_EVENTS Sundown/Xer EK Ladning May 20 2016 (current_events.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2022627 - ET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate detected (Dridex) (trojan.rules)</div>
<div>&nbsp; 2810083 - ETPRO MOBILE_MALWARE PUP Android/Igexin.C Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2816226 - ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M1 (current_events.rules)</div>
<div>&nbsp; 2816227 - ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M2 (current_events.rules)</div>
<div>&nbsp; 2816228 - ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M3 (current_events.rules)</div>
<div>&nbsp; 2816229 - ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M4 (current_events.rules)</div>
<div>&nbsp; 2816230 - ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M5 (current_events.rules)</div>
<div>&nbsp; 2816231 - ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M6 (current_events.rules)</div>
<div>&nbsp; 2820083 - ETPRO CURRENT_EVENTS CVE-2013-2551 M1 (b641) Observed in Sundown/Xer EK (current_events.rules)</div>
<div>&nbsp; 2820084 - ETPRO CURRENT_EVENTS CVE-2013-2551 M1 (b642) Observed in Sundown/Xer EK (current_events.rules)</div>
<div>&nbsp; 2820085 - ETPRO CURRENT_EVENTS CVE-2013-2551 M1 (b643) Observed in Sundown/Xer EK (current_events.rules)</div>
<div>&nbsp; 2820086 - ETPRO CURRENT_EVENTS CVE-2015-2419 M1 (b641) Observed in Sundown/Xer EK (current_events.rules)</div>
<div>&nbsp; 2820087 - ETPRO CURRENT_EVENTS CVE-2015-2419 M1 (b642) Observed in Sundown/Xer EK (current_events.rules)</div>
<div>&nbsp; 2820088 - ETPRO CURRENT_EVENTS CVE-2015-2419 M1 (b643) Observed in Sundown/Xer EK (current_events.rules)</div>
<div>&nbsp; 2820089 - ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 (b641) (current_events.rules)</div>
<div>&nbsp; 2820090 - ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 (b642) (current_events.rules)</div>
<div>&nbsp; 2820091 - ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 (b642) (current_events.rules)</div>
<div>&nbsp; 2820093 - ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 M2 (b641) (current_events.rules)</div>
<div>&nbsp; 2820094 - ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 M2 (b642) (current_events.rules)</div>
<div>&nbsp; 2820249 - ETPRO TROJAN Observed Malvertising Domain SSL Cert (trojan.rules)</div>
<div><br></div>
</div></div>
Jim McKibben | 20 May 20:37 2016

ET TROJAN DNS Reply for unallocated address space - Potentially Malicious - needs update

Everyone,

TLDR:

2016104 - Needs new title and could probably include 1.0.0.0/24 as well

Full:

1.1.1.1 is allocated as a sinkhole within 1.1.1.0/24, further, APNIC has stated that while you shouldn't see anything from 1.1.1.0/24 they are using it for "testing purposes". Further, they state that both 1.0.0.0/24 and 1.1.1.0/24 are used for this purpose.

Documented for 1.1.1.1:

Press Release:

Activation Notice:
http://mailman.apnic.net/mailing-lists/sig-policy/archive/2014/05/msg00001.html

--



Jim McKibben
Security Analyst GSEC GWAPT
Office / 913-685-6588
Mobile / 573-424-4848
jmckibben-2QRZzSonJ2WXBFrMKgs7QAC/G2K4zDHf@public.gmane.org

      


CONFIDENTIAL:
The information in this email (and any attachments) is confidential.  If you are not the intended recipient, you must not read, use or disseminate the information.  Please reply to the sender and take the steps necessary to delete the message completely from your computer system.  Although this email and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by RiskAnalytics, LLC for any loss or damage arising in any way from its use.
<div><div dir="ltr">Everyone,<div><br></div>
<div>TLDR:</div>
<div><br></div>
<div>2016104 - Needs new title and could probably include <a href="http://1.0.0.0/24">1.0.0.0/24</a> as well<br>
</div>
<div><br></div>
<div>Full:</div>
<div><br></div>
<div>1.1.1.1 is allocated as a sinkhole within <a href="http://1.1.1.0/24">1.1.1.0/24</a>, further, APNIC has stated that while you shouldn't see anything from <a href="http://1.1.1.0/24">1.1.1.0/24</a> they are using it for "testing purposes". Further, they state that both <a href="http://1.0.0.0/24">1.0.0.0/24</a> and <a href="http://1.1.1.0/24">1.1.1.0/24</a> are used for this purpose.</div>
<div><br></div>
<div>Documented for <a href="http://1.1.1.1">1.1.1.1</a>:</div>
<div><a href="http://wq.apnic.net/apnic-bin/whois.pl?searchtext=1.1.1.1">http://wq.apnic.net/apnic-bin/whois.pl?searchtext=1.1.1.1</a></div>
<div><br></div>
<div>Press Release:</div>
<div>
<a href="https://www.apnic.net/policy/proposals/prop-109">https://www.apnic.net/policy/proposals/prop-109</a><br>
</div>
<div><br></div>
<div>Activation Notice:</div>
<div>
<a href="http://mailman.apnic.net/mailing-lists/sig-policy/archive/2014/05/msg00001.html">http://mailman.apnic.net/mailing-lists/sig-policy/archive/2014/05/msg00001.html</a><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr">
<div><table border="0" cellpadding="0" cellspacing="0"><tr>
<td valign="top" width="113"><p align="center"><br><a href="https://riskanalytics.com/" target="_blank"></a><br></p></td>
<td valign="top" width="329">
<p><span>Jim McKibben<br></span><span>Security Analyst GSEC GWAPT<br></span><span>Office /</span><span>&nbsp;<span><a href="tel:913-685-6588" value="+19136856571" target="_blank">913-685-6588</a><br></span></span><span>Mobile /</span><span>&nbsp;</span><span><a href="tel:573-424-4848" value="+19132195292" target="_blank">573-424-4848</a><br></span><a href="mailto:jmckibben@..." target="_blank">jmckibben@...</a></p>
<p><a href="https://riskanalytics.com/" target="_blank"></a><span>&nbsp;&nbsp;</span><a href="https://twitter.com/riskanalytics" target="_blank"></a><span>&nbsp;&nbsp;</span><a href="https://www.linkedin.com/company/riskanalytics-llc" target="_blank"></a><span>&nbsp;&nbsp;</span><a href="https://www.facebook.com/riskanalytics?fref=ts" target="_blank"></a><br></p>
</td>
</tr></table></div>
<div>
<div><br></div>
<div dir="ltr">CONFIDENTIAL:<br>The information in this email (and any attachments) is confidential.&nbsp; If you are not the intended recipient, you must not read, use or disseminate the information.&nbsp; Please reply to the sender and take the steps necessary to delete the message completely from your computer system.&nbsp; Although this email and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by RiskAnalytics, LLC for any loss or damage arising in any way from its use.</div>
</div>
</div></div></div></div></div></div></div></div>
</div>
</div></div>
Pietro Delsante | 20 May 18:37 2016
Picon

Windows Script host vs. Internet Explorer in User-Agent strings

Hello everybody,

TL;DR
I would like to write a Snort signature to detect HTTP requests that may have been originated by the Windows Script Host process.

****
This signature should set a flowbit, and another signature should fire if the response contains a PE executable file. This way, we would be able to detect cases where a script file (e.g. Nemucod) is executed by the user and tries to download a malware from an external HTTP server. Checking the flowbit and the PE content is pretty easy, but identifying WScript Host's UA is quite hard.

This is a test I made some time ago on a Windows 7 64bit VM by using WScript Host to execute a .js file:

GET /wiki/ HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; GWX:QUALIFIED)
Connection: Keep-Alive

This is a request from the very same host, using Internet Explorer 7:

GET /wiki/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 27 Jan 2016 02:03:49 GMT
DNT: 1
Connection: Keep-Alive

The two User-Agent strings are pretty different, and the WScript Host's one depends on the .NET versions installed on the host, as well as on many other libraries that seem to be appended to the string.

I also noticed that the various MS Office components have a UA string that is very similar to the WScript Host's one, but usually it also adds a distinctive token to tell what application is emitting it (e.g. "App OUTLOOK.EXE" or "Microsoft Outlook 14.0.7113; ms-office; MSOffice 14", etc).

Also, Windows Script Host does not seem to set the "Accept-Language:" header, and since I'm trying to detect direct downloads, I am also excluding the "Referer:" header.

I came up with the following two example signatures:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CERTEGO TROJAN Windows Script Host request (flowbit)"; flow:to_server,established; content:" Mozilla/4.0 "; http_header; nocase; content:" MSIE "; http_header; nocase; content:" Windows NT "; http_header; nocase; content:" SLCC2|3b| "; http_header; nocase; content:" .NET CLR "; http_header; nocase; content:!"Referer|3a| "; http_header; nocase; content:!"Accept-Language|3a| "; http_header; nocase; pcre:!"/ App (?:OUTLOOK|WINWORD|EXCEL|POWERPNT)\.EXE,/iH"; flowbits:set,CERTEGO.wscript.request; flowbits:noalert; classtype:trojan-activity; sid:9000108; rev:2;) 

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"CERTEGO TROJAN Windows Script Host downloading PE, possible JS/Nemucod"; flow:from_server,established; flowbits:isset,CERTEGO.wscript.request; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:9000109; rev:1;)

The first one may be optimized by using some "within" and/or "distance" modifiers instead of repeating the http_header modifier each time; however, that's not the point.

What's your opinion about that rule?
Do you have any way to test this with other Windows versions and browsers as well?
Also, what happens if Windows doesn't have the .NET libraries installed?
Is the SLCC2 component mandatory?
Are there any other aspects I'm missing here?

Thanks,

 
Pietro Delsante
Incident Response Team

«I have made this letter longer than usual, because I lack the time to make it short»
(B. Pascal)

Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.
<div><div dir="ltr">Hello everybody,<div><br></div>
<div>TL;DR</div>
<div>I would like to write a Snort signature to detect HTTP requests that may have been originated by the Windows Script Host process.</div>
<div><br></div>
<div>****</div>
<div>This signature should set a flowbit, and another signature should fire if the response contains a PE executable file. This way, we would be able to detect cases where a script file (e.g. Nemucod) is executed by the user and tries to download a malware from an external HTTP server. Checking the flowbit and the PE content is pretty easy, but identifying WScript Host's UA is quite hard.</div>
<div><br></div>
<div>This is a test I made some time ago on a Windows 7 64bit VM by using WScript Host to execute a .js file:<br>
</div>
<div><br></div>
<blockquote>
<div>GET /wiki/ HTTP/1.1</div>
<div>Accept: */*</div>
<div>UA-CPU: AMD64</div>
<div>Accept-Encoding: gzip, deflate</div>
<div>User-Agent:&nbsp;Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; GWX:QUALIFIED)</div>
<div>Host: <a href="http://www.wikipedia.org">www.wikipedia.org</a>
</div>
<div>Connection: Keep-Alive</div>
</blockquote>
<div>
<div><br></div>
<div>This is a request from the very same host, using Internet Explorer 7:</div>
<div><br></div>
</div>
<blockquote>
<div>GET&nbsp;/wiki/&nbsp;HTTP/1.1</div>
<div>Accept: text/html, application/xhtml+xml, */*</div>
<div>Accept-Language: en-US</div>
<div>User-Agent:&nbsp;Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko</div>
<div>Accept-Encoding: gzip, deflate</div>
<div>Host: <a href="http://www.wikipedia.org">www.wikipedia.org</a>
</div>
<div>If-Modified-Since: Wed, 27 Jan 2016 02:03:49 GMT</div>
<div>DNT: 1</div>
<div>Connection: Keep-Alive</div>
</blockquote>
<div><br></div>
<div>The two User-Agent strings are pretty different, and the WScript Host's one depends on the .NET versions installed on the host, as well as on many other libraries that seem to be appended to the string.</div>
<div><br></div>
<div>I also noticed that the various MS Office components have a UA string that is very similar to the WScript Host's one, but usually it also adds a distinctive token to tell what application is emitting it (e.g. "App OUTLOOK.EXE" or "Microsoft Outlook 14.0.7113; ms-office; MSOffice 14", etc).</div>
<div><br></div>
<div>Also, Windows Script Host does not seem to set the "Accept-Language:" header, and since I'm trying to detect direct downloads, I am also excluding the "Referer:" header.</div>
<div><br></div>
<div>I came up with the following two example signatures:</div>
<div><br></div>
<blockquote>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"CERTEGO TROJAN Windows Script Host request (flowbit)"; flow:to_server,established; content:" Mozilla/4.0 "; http_header; nocase; content:" MSIE "; http_header; nocase; content:" Windows NT "; http_header; nocase; content:" SLCC2|3b| "; http_header; nocase; content:" .NET CLR "; http_header; nocase; content:!"Referer|3a| "; http_header; nocase; content:!"Accept-Language|3a| "; http_header; nocase; pcre:!"/ App (?:OUTLOOK|WINWORD|EXCEL|POWERPNT)\.EXE,/iH"; flowbits:set,CERTEGO.wscript.request; flowbits:noalert; classtype:trojan-activity; sid:9000108; rev:2;)&nbsp;</div>
<div><br></div>
<div>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"CERTEGO TROJAN Windows Script Host downloading PE, possible JS/Nemucod"; flow:from_server,established; flowbits:isset,CERTEGO.wscript.request; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:9000109; rev:1;)</div>
</blockquote>
<div><br></div>
<div>The first one may be optimized by using some "within" and/or "distance" modifiers instead of repeating the http_header modifier each time; however, that's not the point.</div>
<div><br></div>
<div>What's your opinion about that rule?</div>
<div>Do you have any way to test this with other Windows versions and browsers as well?</div>
<div>Also, what happens if Windows doesn't have the .NET libraries installed?</div>
<div>Is the SLCC2 component mandatory?</div>
<div>Are there any other aspects I'm missing here?<br>
</div>
<div><br></div>
<div>Thanks,</div>
<div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">
<br><div>
	&nbsp;</div>
<div>
	<div>
		Pietro Delsante</div>
	<div>
		Incident Response Team</div>
<div><br></div>
	<div>
		E <span><a href="mailto:p.delsante <at> certego.net" target="_blank">p.delsante@...</a></span>
</div>
</div>
<div>
	<a href="http://www.certego.net/" target="_blank"></a>
	<div>
		<a href="https://www.linkedin.com/company/certego" target="_blank"></a> <a href="https://twitter.com/Certego_IRT" target="_blank"></a> <a href="https://github.com/certego" target="_blank"></a> <a href="https://www.youtube.com/CERTEGOsrl" target="_blank"></a> <a href="https://plus.google.com/117641917176532015312" target="_blank"></a>
</div>
</div>
<div>&laquo;I have made this letter longer than usual, because I lack the time to make it short&raquo;<br>(B. Pascal)<br><br>Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.</div>
</div></div></div></div></div>
</div></div>
Andrea De Pasquale | 19 May 11:46 2016
Picon
Gravatar

"Bloccato" Ransomware CnC Domain

Hello,
we'd like to submit a signature for this "Bloccato" ransomware:

https://twitter.com/demonslay335/status/733067495028838400
http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/

The signature is based on a memory string found when running sample
cf8d1b5071e23b82572075a5aabc89bd82cfd8b06f1cdaee9019247edce1fdba:

https:// ur232dkkwpdkwp .xyz/chiave.php?chiave=

That domain does not look existing/alive at the moment, so the
signature is DNS-based rather than SSL cert-based.

alert udp $HOME_NET any -> any 53 (msg:"CERTEGO TROJAN Bloccato
Ransomware CnC Domain"; content:"|01 00 00 01 00 00 00 00 00 00|";
depth:10; offset:2; content:"|0e|ur232dkkwpdkwp|03|xyz|00|"; nocase;
distance:0; fast_pattern;
reference:url,www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/;
reference:md5,1bd06d0031abcf62bc1382c07dab0b90;
classtype:trojan-activity; sid:9000403; rev:1;)

Regards,
--

-- 
Andrea De Pasquale
Incident Response Team, Certego

Use of the information within this document constitutes acceptance for
use in an "as is" condition. There are no warranties with regard to
this information; Certego has verified the data as thoroughly as
possible. Any use of this information lies within the user's
responsibility. In no event shall Certego be liable for any
consequences or damages, including direct, indirect, incidental,
consequential, loss of business profits or special damages, arising
out of or in connection with the use or spread of this information.
Travis Green | 19 May 00:32 2016
Picon

Re: TopTools100 (possible Malware.Chir)

Looks like we have coverage in the PRO ruleset <at>  2815135, I'll move that to open.

Thanks!
-Travis Green

On Mon, May 16, 2016 at 3:53 PM, Stanwyck, Carraig - ASOC - Kansas City, MO <Carraig.Stanwyck-SHdWKvT69xmpZYMLLGbcSA@public.gmane.org> wrote:
Thank you <at> Rmkml.  It does have a dash, I just mistyped.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - BLACKLIST User Agent TopTools100 (BDI18N) [CS][May2016][PUP][CatA])"; flow:established,to_server; content:"User-Agent|3A 20|BDI18N"; http_header; reference:url,https://www.hybrid-analysis.com/sample/4e4d1a7888ff177460294d874ed6fc2b43841b4a02025600f637cf4f908d46cb?environmentId=1; classtype:trojan-activity; sid:123456789; rev:1;)

Regards,
-C

-----Original Message-----
From: rmkml [mailto:rmkml-Qt13gs6zZMY@public.gmane.org]
Sent: Monday, May 16, 2016 4:30 PM
To: Stanwyck, Carraig - ASOC - Kansas City, MO <Carraig.Stanwyck-SHdWKvT69xmpZYMLLGbcSA@public.gmane.org>
Cc: emerging-sigs <at> lists.emergingthreats.net; rmkml <at> yahoo.fr
Subject: Re: [Emerging-Sigs] TopTools100 (possible Malware.Chir)

Hi,

Are you really sur it's a "User Agent" without '-' between User and Agent please ?

Regards
<at> Rmkml


On Mon, 16 May 2016, Stanwyck, Carraig - ASOC - Kansas City, MO wrote:

>
> I’m pretty sure this is just adware, but Hybrid Analysis is thinking Malware.Chir.
>
>  
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom
> - BLACKLIST User Agent for TopTools100 (BDI18N)
> [CS][May2016][PUP][CatA])"; flow:established,to_server; content:"User
> Agent|3A 20|BDI18N"; http_header;
> reference:url,https://www.hybrid-analysis.com/sample/4e4d1a7888ff17746
> 0294d874ed6fc2b43841b4a02025600f637cf4f908d46cb?environmentId=1;
> classtype:trojan-activity; sid:123456789; rev:1;)
>
>  
>
> Example log:
>
> POST     www.thescreensnapshot.com 
> /cgi-bin-py/screensnapshot_install.cgi   -              BDI18N
>
> POST     www.thescreensnapshot.com  /cgi-bin-py/screensnapshot_uu.cgi        
> -              BDI18N
>
> GET        update.thescreensnapshot.com
> /toolupdate/getmsg?product=screensnapshot&id=5b64632a15182129068a5071d
> 0a29538&soft_screensnapshot=1.1.0.11130&os=6.1&sys=x64&screensnapshot_
> pn=Installchannel2|us|IBD|Bundle&in_sec=14                -             
> BDI18N
>
>  
>
> Regards,
>
> -C
>
>  
>
> Carraig Stanwyck
>
> USDA | OCIO | ASOC
>
>  
>
>  
>
>
>
>
>
> This electronic message contains information generated by the USDA
> solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net




--
PGP: 0xBED7B297
<div>
<div dir="ltr">Looks like we have coverage in the PRO ruleset  <at> &nbsp;2815135, I'll move that to open.<div><br></div>
<div>Thanks!</div>
<div>-Travis Green</div>
</div>
<div class="gmail_extra">
<br><div class="gmail_quote">On Mon, May 16, 2016 at 3:53 PM, Stanwyck, Carraig - ASOC - Kansas City, MO <span dir="ltr">&lt;<a href="mailto:Carraig.Stanwyck@..." target="_blank">Carraig.Stanwyck@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">Thank you  <at> Rmkml.&nbsp; It does have a dash, I just mistyped.<br><br>
alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - BLACKLIST User Agent TopTools100 (BDI18N) [CS][May2016][PUP][CatA])"; flow:established,to_server; content:"User-Agent|3A 20|BDI18N"; http_header; reference:url,<a href="https://www.hybrid-analysis.com/sample/4e4d1a7888ff177460294d874ed6fc2b43841b4a02025600f637cf4f908d46cb?environmentId=1" rel="noreferrer" target="_blank">https://www.hybrid-analysis.com/sample/4e4d1a7888ff177460294d874ed6fc2b43841b4a02025600f637cf4f908d46cb?environmentId=1</a>; classtype:trojan-activity; sid:123456789; rev:1;)<br><br>
Regards,<br>
-C<br><br>
-----Original Message-----<br>
From: rmkml [mailto:<a href="mailto:rmkml@...">rmkml@...</a>]<br>
Sent: Monday, May 16, 2016 4:30 PM<br>
To: Stanwyck, Carraig - ASOC - Kansas City, MO &lt;<a href="mailto:Carraig.Stanwyck@...">Carraig.Stanwyck@...</a>&gt;<br>
Cc: <a href="mailto:emerging-sigs@...">emerging-sigs <at> lists.emergingthreats.net</a>; <a href="mailto:rmkml@...">rmkml <at> yahoo.fr</a><br>
Subject: Re: [Emerging-Sigs] TopTools100 (possible Malware.Chir)<br><br>
Hi,<br><br>
Are you really sur it's a "User Agent" without '-' between User and Agent please ?<br><br>
Regards<br>
 <at> Rmkml<br><div><div class="h5">
<br><br>
On Mon, 16 May 2016, Stanwyck, Carraig - ASOC - Kansas City, MO wrote:<br><br>
&gt;<br>
&gt; I&rsquo;m pretty sure this is just adware, but Hybrid Analysis is thinking Malware.Chir.<br>
&gt;<br>
&gt; &nbsp;<br>
&gt;<br>
&gt; alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom<br>
&gt; - BLACKLIST User Agent for TopTools100 (BDI18N)<br>
&gt; [CS][May2016][PUP][CatA])"; flow:established,to_server; content:"User<br>
&gt; Agent|3A 20|BDI18N"; http_header;<br>
&gt; reference:url,<a href="https://www.hybrid-analysis.com/sample/4e4d1a7888ff17746" rel="noreferrer" target="_blank">https://www.hybrid-analysis.com/sample/4e4d1a7888ff17746</a><br>
&gt; 0294d874ed6fc2b43841b4a02025600f637cf4f908d46cb?environmentId=1;<br>
&gt; classtype:trojan-activity; sid:123456789; rev:1;)<br>
&gt;<br>
&gt; &nbsp;<br>
&gt;<br>
&gt; Example log:<br>
&gt;<br>
&gt; POST&nbsp;&nbsp;&nbsp;&nbsp; <a href="http://www.thescreensnapshot.com" rel="noreferrer" target="_blank">www.thescreensnapshot.com</a>&nbsp;<br>
&gt; /cgi-bin-py/screensnapshot_install.cgi&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; BDI18N<br>
&gt;<br>
&gt; POST&nbsp;&nbsp;&nbsp;&nbsp; <a href="http://www.thescreensnapshot.com" rel="noreferrer" target="_blank">www.thescreensnapshot.com</a>&nbsp; /cgi-bin-py/screensnapshot_uu.cgi&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&gt; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; BDI18N<br>
&gt;<br>
&gt; GET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href="http://update.thescreensnapshot.com" rel="noreferrer" target="_blank">update.thescreensnapshot.com</a><br>
&gt; /toolupdate/getmsg?product=screensnapshot&amp;id=5b64632a15182129068a5071d<br>
&gt; 0a29538&amp;soft_screensnapshot=1.1.0.11130&amp;os=6.1&amp;sys=x64&amp;screensnapshot_<br>
&gt; pn=Installchannel2|us|IBD|Bundle&amp;in_sec=14&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&gt; BDI18N<br>
&gt;<br>
&gt; &nbsp;<br>
&gt;<br>
&gt; Regards,<br>
&gt;<br>
&gt; -C<br>
&gt;<br>
&gt; &nbsp;<br>
&gt;<br>
&gt; Carraig Stanwyck<br>
&gt;<br>
&gt; USDA | OCIO | ASOC<br>
&gt;<br>
&gt; &nbsp;<br>
&gt;<br>
&gt; &nbsp;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; This electronic message contains information generated by the USDA<br>
&gt; solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.<br>
&gt;<br>
</div></div>_______________________________________________<br>
Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@...">Emerging-sigs <at> lists.emergingthreats.net</a><br><a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" rel="noreferrer" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br><br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" rel="noreferrer" target="_blank">http://www.emergingthreats.net</a><br><br>
</blockquote>
</div>
<br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">PGP:&nbsp;<a href="https://pgp.mit.edu/pks/lookup?op=get&amp;search=0x6B68453CBED7B297" target="_blank">0xBED7B297</a>
</div></div></div></div>
</div>
</div>

Gmane