[Emerging-Sigs] MALWARE SIGS

Kevin Ross kevross33 at googlemail.com
Wed Oct 12 10:16:24 EDT 2011


Here you go. Pick out the ones you think are best for W32.Cookies.

# OTHERS (missing coverage for this (already have sig for getting ip list)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
BKDR_BTMINE.MNR BitCoin Miner Getting External IP Address";
flow:established,to_server; content:"GET"; http_method;
content:"/search=get_my_ip"; http_uri; classtype:trojan-activity;
reference:url,
www.securelist.com/en/blog/208193084/The_Miner_Botnet_Bitcoin_Mining_Goes_Peer_To_Peer;
sid:123991; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
BKDR_BTMINE.MNR BitCoin Miner Connectivity Test";
flow:established,to_server; content:"GET"; http_method;
content:"/search=listen_test"; http_uri; classtype:trojan-activity;
reference:url,
www.securelist.com/en/blog/208193084/The_Miner_Botnet_Bitcoin_Mining_Goes_Peer_To_Peer;
sid:123992; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
BKDR_BTMINE.MNR BitCoin Miner Retrieving Executables List";
flow:established,to_server; content:"GET"; http_method;
content:"/search=soft_list"; http_uri; classtype:trojan-activity;
reference:url,
www.securelist.com/en/blog/208193084/The_Miner_Botnet_Bitcoin_Mining_Goes_Peer_To_Peer;
sid:123993; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Dloader.JIP!tr Retrieving Malicious Files"; flow:established,to_server;
content:"/images/gate.php?v="; http_uri; content:"&b="; http_uri;
content:"&r="; http_uri; classtype:trojan-activity; reference:url,
http://www.fortiguard.com/av/VID3062009; sid:123994; rev:1;)

# Snort 2.9 onwards only (it will decode until the end of the header line)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32.Cookies Initial Checkin To CnC"; flow:established,to_server;
content:"Cookie|3A 20|"; http_header; base64_decode,relative; base64_data;
content:"command=GetCommand|3B|clientkey="; within:30;
content:"|3B|hostname="; within:20; classtype:trojan-activity;
reference:url,www.cyberesi.com/2011/09/12/trojan-cookies/; sid:123996;
rev:1;)

# ALL Snorts
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
W32.Cookies Initial CnC Server Response - GetSystem";
flow:established,to_client; content:"Set-Cookie|3A
20|Y29tbWFuZD1nZXRzeXN0ZW07"; http_header; classtype:trojan-activity;
reference:url,www.cyberesi.com/2011/09/12/trojan-cookies/; sid:123997;
rev:1;)

# Snort 2.9 Ono
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32.Cookies CnC Server Command Response"; flow:established,to_client;
content:"Set-Cookie|3A 20|"; http_header; base64_decode,relative;
base64_data; content:"command="; within:8; content:"|3B|content=";
within:20; reference:url,www.cyberesi.com/2011/09/12/trojan-cookies/;
sid:123998; rev:1;)

# All Snorts
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32.Cookies Posting Data to CnC Server"; flow:established,to_server;
content:"POST"; http_method; content:"Cookie|3A 20|Y29tbWFuZD1";
http_header; content:"postvalue="; depth:10; http_client_body;
classtype:trojan-activity; reference:url,
www.cyberesi.com/2011/09/12/trojan-cookies/; sid:123999; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32.Cookies Client Communication to CnC Server"; flow:established,to_server;
content:"Cookie|3A 20|Y29tbWFuZD1"; http_header; classtype:trojan-activity;
reference:url,www.cyberesi.com/2011/09/12/trojan-cookies/; sid:124000;
rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
W32.Cookies CnC Server Response"; flow:established,to_client;
content:"Set-Cookie|3A 20|Y29tbWFuZD1"; http_header;
classtype:trojan-activity; reference:url,
www.cyberesi.com/2011/09/12/trojan-cookies/; sid:124001; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111012/b39cf077/attachment-0001.html


More information about the Emerging-sigs mailing list