[Emerging-Sigs] Stabuniq C&C candidate rules

Darren Spruell phatbuckett at gmail.com
Mon Dec 24 11:35:44 HAST 2012


Has been in media since Symantec posted. These aren't tested - hoping
someone can help validate. contagiodump post has pcap and text payload
for reference.

# Observed C2 communications
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TROJAN
Stabuniq C&C Communication"; flow:to_server,established;
content:"id="; depth:3; http_client_body; content:"&varname=";
http_client_body; content:"&comp="; http_client_body; content:"&ver=";
http_client_body; content:"&xid="; http_client_body;
reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers;
reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2;
reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html;
classtype:trojan-activity; sid:XXXXXXX; rev:1;)

These are candidate rules based on observation that POSTs to observed
C2 script names appear to be anomalous; basic testing didn't show a
lot of /rssnews.php and we'd expect most requests to these script
names to be GET requests.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TROJAN
Stabuniq Observed C&C POST Target /rss.php";
flow:to_server,established; content:"POST"; http_method;
content:"/rss.php"; http_uri;
reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers;
reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2;
reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html;
classtype:trojan-activity; sid:XXXXXXX; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TROJAN
Stabuniq Observed C&C POST Target /rssnews.php";
flow:to_server,established; content:"POST"; http_method;
content:"/rssnews.php"; http_uri;
reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers;
reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2;
reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html;
classtype:trojan-activity; sid:XXXXXXX; rev:1;)

-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list