[Emerging-Sigs] Stabuniq C&C candidate rules

Will Metcalf wmetcalf at emergingthreatspro.com
Thu Dec 27 05:05:19 HAST 2012


Thanks Darren running through QA. Will get them in today if no issues.

Regards,

Will

On Mon, Dec 24, 2012 at 3:35 PM, Darren Spruell <phatbuckett at gmail.com>wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TROJAN
> Stabuniq C&C Communication"; flow:to_server,established;
> content:"id="; depth:3; http_client_body; content:"&varname=";
> http_client_body; content:"&comp="; http_client_body; content:"&ver=";
> http_client_body; content:"&xid="; http_client_body;
> reference:url,
> www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers
> ;
> reference:url,
> www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2
> ;
> reference:url,
> contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html;
> classtype:trojan-activity; sid:XXXXXXX; rev:1;)
>
> These are candidate rules based on observation that POSTs to observed
> C2 script names appear to be anomalous; basic testing didn't show a
> lot of /rssnews.php and we'd expect most requests to these script
> names to be GET requests.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TROJAN
> Stabuniq Observed C&C POST Target /rss.php";
> flow:to_server,established; content:"POST"; http_method;
> content:"/rss.php"; http_uri;
> reference:url,
> www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers
> ;
> reference:url,
> www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2
> ;
> reference:url,
> contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html;
> classtype:trojan-activity; sid:XXXXXXX; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TROJAN
> Stabuniq Observed C&C POST Target /rssnews.php";
> flow:to_server,established; content:"POST"; http_method;
> content:"/rssnews.php"; http_uri;
> reference:url,
> www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers
> ;
> reference:url,
> www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2
> ;
> reference:url,
> contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html;
> classtype:trojan-activity; sid:XXXXXXX; rev:1;)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121227/73356462/attachment.html>


More information about the Emerging-sigs mailing list