[Emerging-Sigs] SIGS: Multiple APT.Backdoor Sigs (APT12 Fireeye/Arbor)

Darien Huss dhuss at emergingthreats.net
Thu Sep 4 08:57:14 EDT 2014


Thanks Kevin, we'll get these into QA!

Regards,
Darien


On Thu, Sep 4, 2014 at 4:18 AM, Kevin Ross <kevross33 at googlemail.com> wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/Hightide.APT Backdoor CnC Beacon"; flow:established,to_server;
> content:"GET"; http_method; content:"/?"; http_uri; depth:2;
> content:"Referer|3A| http|3A|//www.google.com/|0D
> <http://www.google.com/%7C0D> 0A|"; http_header; fast_pattern:13,18;
> content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 8.0|3B| windows NT
> 5.1|3B| Trident/5.0)"; http_header;
> pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/sm";
> classtype:trojan-activity; reference:url,
> www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html;
> sid:198381; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/Riptide.APT Backdoor CnC Beacon"; flow:established,to_server;
> content:"GET"; http_method; content:"/image/"; http_uri; depth:7;
> pcre:"/^\x2Fimage\x2F[^\x2F]*\x2Ejpg$/U"; content:"Referer|3A| http|3A|//
> www.google.com/|0D <http://www.google.com/%7C0D> 0A|"; http_header;
> fast_pattern:13,18; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B|
> MSIE 8.0|3B| windows NT 5.1|3B| Trident/5.0)"; http_header;
> pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/sm";
> classtype:trojan-activity; reference:url,
> www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html;
> reference:url,
> www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf;
> sid:198382; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/Threebyte.APT Backdoor CnC Beacon"; flow:established,to_server;
> content:"GET"; http_method; content:!"Referer|3A|"; http_header;
> content:"/UID"; fast_pattern; http_uri; depth:4; content:".jsp?"; http_uri;
> content:"HTTP/1.1 User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 8.0|3B|
> windows NT 5.1|3B| Trident/5.0)|0D 0A|Host|3A| "; content:|0D
> 0A|Connection|3A| Keep-Alive|0D 0A 0D 0A|"; classtype:trojan-activity;
> reference:url,
> www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html;
> sid:198383; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/Waterspout.APT Backdoor CnC Beacon"; flow:established,to_server;
> content:".php?"; http_uri; content:"_id="; fast_pattern; http_uri;
> distance:3; within:4; content:"= HTTP/1.1|0D 0A|Accept|3A| image/jpeg,
> application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg,
> application/x-ms-xbap, */*|0D 0A|User-Agent|3A| Mozilla/4.0 (compatible|3B|
> MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR
> 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| .NET4.0C|3B|
> .NET4.0E)|0D 0A|Host|3A 20|";
> pcre:"/^\x2F[^\x2F]*\x2F\d{5}\x2F[a-z]{4}\x2Ephp\x3F[a-z]{3}\x5Fid\x3D[a-z]\x3D$/Ui";
> classtype:trojan-activity; reference:url,
> www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html;
> sid:198384; rev:1;)
>
> alert tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/Etumbot.APT Backdoor CnC Beacon"; flow:established,to_server;
> content:"GET"; http_uri; content:"/history/"; http_uri; depth:9;
> fast_pattern; content:".asp"; http_uri;
> pcre:"/^\x2Fhistory\x2F[^\x2F]*\x2Easp$/U"; content:"Referer|3A| http|3A|//
> www.google.com/|0D <http://www.google.com/%7C0D> 0A|"; http_header;
> content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 8.0|3B| windows NT
> 5.1|3B| Trident/5.0)"; http_header;
> pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/sm";
> classtype:trojan-activity; reference:url,
> www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf;
> sid:198385; rev:1;)
>
> Kind Regards,
> Kevin Ross
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140904/04cbe312/attachment-0001.html>


More information about the Emerging-sigs mailing list