[Emerging-Sigs] Malware NfLog
Edward Fjellskål
edwardfjellskaal at gmail.com
Wed Feb 15 15:32:17 EST 2012
Suggest:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Trojan.Win32.NfLog Checkin (Nfile)"; flow:to_server,established;
content:"POST"; http_method; content:"/NfLog/Nfile.asp"; http_uri;
classtype:trojan-activity; sid:-1; rev:1)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Trojan.Win32.NfLog GET file (Nfile)"; flow:to_server,established;
content:"GET"; http_method; content:"/NfLog/Nfile.asp"; http_uri;
classtype:trojan-activity; sid:-1; rev:1)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Trojan.Win32.NfLog GET IP (TTip)"; flow:to_server,established;
content:"GET"; http_method; content:"/NfLog/TTip.asp"; http_uri;
classtype:trojan-activity; sid:-1; rev:1)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Trojan.Win32.NfLog POST data (TTip)"; flow:to_server,established;
content:"POST"; http_method; content:"/NfLog/NfStart.asp?ClientId=";
http_uri; classtype:trojan-activity; sid:-1; rev:1)
The "GET" content is not needed, but just to separate them for intel.
:)
E
On 02/15/2012 09:11 PM, Edward Fjellskål wrote:
> On 02/15/2012 06:06 PM, Jaime Blasco wrote:
>> Hi,
>>
>> I was
>> reading http://contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html
>> today. The sample dropped is a well know APT backdoor that has been used
>> since 2009 more or less.
>>
>> I was able to run several samples and this rule seems to work quite well:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE NfLog
>> Checkin"; flow:to_server,established; content:"/NfLog/Nfile.asp";
>> http_uri; content:"GetFile"; http_client_body;
>> classtype:trojan-activity; sid:3000008; rev:1)
>
> There are som more stuff you can sig:
>
> POST /NfLog/Nfile.asp HTTP/1.1
> Accept: */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
> Host: www.vvindow.com
> Content-Length: 7
> Pragma: no-cache
>
> GetFile
>
> POST /NfLog/TTip.asp HTTP/1.1
> Accept: */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
> 1.1.4322)
> Host: www.vvindow.com
> Content-Length: 8
> Pragma: no-cache
> Cookie: ASPSESSIONIDCQBDQRQB=KGIJAHMDGKKOMBFLMLLMKPGK
>
> w.w.w...
>
> POST
> /NfLog/NfStart.asp?ClientId=172.*.*.113%20<3a68>%20218.108.*.*&Nick=KHnpa0210*&dtime=T:5-28-17-58
> HTTP/1.1
> Accept: */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
> 1.1.4322)
> Host: www.vvindow.com
> Content-Length: 36
> Pragma: no-cache
> Cookie: ASPSESSIONIDCQBDQRQB=KGIJAHMDGKKOMBFLMLLMKPGK
> w.w.w...g.o.o.g.l.e...c.o.m...9.9.9.
>
>
> Ref:
>
> http://www.anchiva.com/virus/view.asp?vname=Trojan/Dropper.F9D5!dldr
>
>>
>> Example:
>>
>> POST /NfLog/Nfile.asp HTTP/1.1
>>
>> Accept: */*
>>
>> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
>>
>> Host: www.microsoftupdata.com <http://www.microsoftupdata.com>
>>
>> Content-Length: 7
>>
>> Cache-Control: no-cache
>>
>>
>> GetFile
>>
>>
>> Best Regards
>>
>>
>>
>>
>> --
>> _______________________________
>>
>> Jaime Blasco
>>
>> AlienVault Labs Manager
>>
>> www.ossim.com <http://www.ossim.com>
>> www.alienvault.com <http://www.alienvault.com>
>> Email: jaime.blasco at alienvault.com <mailto:jaime.blasco at alienvault.com>
>>
>> http://twitter.com/jaimeblascob
>>
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>
More information about the Emerging-sigs
mailing list