Monday, December 26, 2016

1:41083 BLACKLIST suspicious .bit dns query

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this dns query blacklist alert didn't include documentation.

(1:41083) BLACKLIST suspicious .bit dns query

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST suspicious .bit dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bit|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; sid:41083; rev:1; )

If I had to guess I think it's related to the .bit tld or something similar which stated.

Per the reddit The advantage to owning a .bit domain is that no government or third-party can have your DNS interrupted, it is truly a P2P DNS system with no possibility of censorship.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , , ,

1:41088 MALWARE-CNC Win.Trojan.MrWhite Win.Trojan.Ostap out bound communication attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41089) MALWARE-CNC Win.Trojan.Ostap out bound communication attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ostap out bound communication attempt"; flow:to_server,established; content:"/ostap.php"; fast_pattern:only; http_uri; content:"/ostap.php"; depth:20; offset:2; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41089; rev:1; )

(1:41088) MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt"; flow:to_server,established; content:"/GOLD/bender.php"; http_uri; content:"User-Agent: Mr.White|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41088; rev:1; )

If I had to guess I think it's related to this JScript backdoor or something similar which stated.

Per the article it says MrWhite can profile the victim systems for the presence of running POS software before dropping further POS payloads. Related to financially-motivated threat actor group with access to banking Trojans and other malware, including Dridex, Ursnif, Tinba, and the point-of-sale (POS) malware AbaddonPOS with its loader, TinyLoader.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at 1 comment:
Labels: , , , ,

1:41035 1:41084 EXPLOIT-KIT Sundown Exploit Kit redirection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these exploit kit alerts didn't include documentation.

(1:41035) EXPLOIT-KIT Sundown Exploit Kit redirection attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sundown Exploit Kit redirection attempt"; flow:established,to_server; content:"/noone.php"; depth:10; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41035; rev:1; )

(1:41084) EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected"; flow:to_client,established; file_data; content:"|22|script|22|"; nocase; content:"|22|createE|22|"; within:50; nocase; content:"|22|lement|22|"; within:20; nocase; content:"|22|type|22|"; within:50; nocase; content:"|22|text/j|22|"; within:50; nocase; content:"|22|avascript|22|"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:41084; rev:1; )

If I had to guess I think it's related to the Sundown Exploit Kit or something similar which stated.

Per the article, it is composed of a couple of parts: a landing page and an exploit page with a payload. This landing page then probes the user's system to determine if they are potentially vulnerable and then delivers an exploit page with a malicious payload.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at 1 comment:
Labels: , ,

1:41034 MALWARE-CNC Win.Trojan.Sality variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41034) MALWARE-CNC Win.Trojan.Sality variant outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sality variant outbound connection"; flow:to_server,established; content:"/images/image.gif"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; depth:12; http_header; content:!"proxy"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/22fc19a6d9e0ef40812d05c357beabfed6f7cb9fe72af826947acb458b911213/analysis/; classtype:trojan-activity; sid:41034; rev:1; )

If I had to guess I think it's related to this Sality Gambling campaign or something similar which stated.

It appears to the image.gif callouts download the real payload. The article also mentions Sality has incorporated the use of rootkit functions as part of the malware family’s ongoing evolution. Sality found that it delivered fake-AV malware as the final payload, able to infect not only local drives but also USB devices and network folders.
The virus total link above shows many solid hits of Win32/Sality.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , ,

1:41033 MALWARE-CNC Win.Trojan.Proteus outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41033) MALWARE-CNC Win.Trojan.Proteus outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proteus outbound connection"; flow:to_server,established; content:"/api/register"; fast_pattern:only; http_uri; content:"{|22|m|22|:|22 5C 5C|"; depth:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d23b4a30f6b1f083ce86ef9d8ff434056865f6973f12cb075647d013906f51a2/analysis/; classtype:trojan-activity; sid:41033; rev:1; )

If I had to guess I think it's related to this link per the virustotal comments botnet Proteus or something similar which stated.

It appears to make callouts to an api for the C&C server. It appears to have keyloggers capabilities among other things.
The virus total link above shows several generic hits like Trojan.KeyLogger, TrojanDropper.Dapato, Win32.Trojan.WisdomEyes,Trojan.Dynamer, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , ,

1:41031 MALWARE-CNC Win.Trojan.Athena variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41031) MALWARE-CNC Win.Trojan.Athena variant outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Athena variant outbound connection"; flow:to_server,established; content:"User-Agent: Go-http-client"; fast_pattern:only; http_header; content:"/cmd/"; depth:5; http_uri; pcre:"/^\x2Fcmd\x2F[\-a-zA-Z0-9_+]{650,}={0,3}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/af385c983832273390bb8e72a9617e89becff2809a24a3c76646544375f21d14/analysis/; classtype:trojan-activity; sid:41031; rev:1; )

If I had to guess I think it's related to this malware analysis of a file called msguard.exe or something similar which stated.

It appears to make callouts to .onion addresses with cmd parameters that are likely sending or receiving information to a C&C server.
The virus total link above shows several generic hits like Win.Trojan.Athena, W32.Clodece.Trojan, Trojan.Dynamer, Trojan.Razy, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , ,

Wednesday, December 14, 2016

1:40912 1:40913 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan download attempt snort alert didn't include documentation.

1 40913 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_server,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40913; rev:1; ) 1 40912 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_client,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40912; rev:1; )

If I had to guess I think it's related to the Sednit hacking group and perhaps a rootkit they developed or something similar which stated.

Floki Bot is a malware variant that has recently been offered for sale on various darknet markets. It is based on the same codebase that was used by the infamous Zeus trojan. Floki Bot claims to feature several new capabilities making it an attractive tool for criminals. Talos also observed the introduction of new code that allows Floki Bot to make use of the Tor network.
Malwarebytes also has a good writeup on the malware.
The virus total link above shows several generic hits like Win.Trojan.Flokibot, Trojan-Spy.Zbot, Trojan.Win32.DownLoader, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)