[Emerging-Sigs] W32.Duqu

Christopher Granger chrisgrangerx at gmail.com
Wed Oct 19 17:49:03 EDT 2011


Great, thanks!

On Wed, Oct 19, 2011 at 9:28 PM, Matthew Jonkman <
jonkman at emergingthreatspro.com> wrote:

> Ya, saw that and was looking deeper. I worry about taking a hardcoded
> filename of course, but it's worth the sig.
>
> How about we do both sigs, then we'll have indicatoin when the filename
> changes?
>
> WIll get them both out.
>
> Thanks!
>
> Matt
>
>
> On Oct 19, 2011, at 5:20 PM, Jaime Blasco wrote:
>
> > I sent a similar rule yesterday to the mailing list, but adding the
> filename on the POST that is also hardcoded:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> W32.DUQUdetected"; flow: to_server,established; content:"User-Agent|3a|
> Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv:1.9.2.9)
> Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; nocase; http_header;
> content:"Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|";
> nocase; http_header; reference:url,
> www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf;
> classtype:policy-violation; sid:111111; rev:1;)
> >
> > Best Regards
> >
> > 2011/10/19 Christopher Granger <chrisgrangerx at gmail.com>
> > Hi Emerging Threats,
> >
> > What do you think about this to detect Duqu's UA?
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"W32.Duqu
> User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0
> (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9)
> Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)|0D 0A|”; http_header;
> fast_pattern:only; reference:url,
> http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf;
> classtype:trojan-activity; sid:XXXXXXX; rev:1;)
> >
> > Thank you,
> > -Chris
> >
> >
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> > The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
> >
> >
> >
> > --
> > _______________________________
> >
> > Jaime Blasco
> >
> > www.ossim.com
> > www.alienvault.com
> > Email: jaime.blasco at alienvault.com
> >
> > http://twitter.com/jaimeblascob
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> > The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111019/973cd111/attachment.html


More information about the Emerging-sigs mailing list