[Emerging-Sigs] W32.Duqu

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 19 17:28:24 EDT 2011


Ya, saw that and was looking deeper. I worry about taking a hardcoded filename of course, but it's worth the sig.

How about we do both sigs, then we'll have indicatoin when the filename changes?

WIll get them both out.

Thanks!

Matt


On Oct 19, 2011, at 5:20 PM, Jaime Blasco wrote:

> I sent a similar rule yesterday to the mailing list, but adding the filename on the POST that is also hardcoded:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32.DUQUdetected"; flow: to_server,established; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; nocase; http_header; content:"Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|"; nocase; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:policy-violation; sid:111111; rev:1;)
> 
> Best Regards
> 
> 2011/10/19 Christopher Granger <chrisgrangerx at gmail.com>
> Hi Emerging Threats,
> 
> What do you think about this to detect Duqu's UA?
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"W32.Duqu User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)|0D 0A|”; http_header; fast_pattern:only; reference:url,http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:XXXXXXX; rev:1;)
> 
> Thank you,
> -Chris
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 
> 
> 
> -- 
> _______________________________
> 
> Jaime Blasco
> 
> www.ossim.com
> www.alienvault.com
> Email: jaime.blasco at alienvault.com
> 
> http://twitter.com/jaimeblascob
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list