[Emerging-Sigs] NewPosThings Sigs

Jake Warren jake.warren at masergy.com
Thu Sep 18 17:23:16 EDT 2014


A couple of sigs for the NewPosThings PoS malware.

I was going to roll with a fast pattern on the "Accept" http header
(content:"Accept|3a 20 3f 2a|"; fast_pattern:only; ) but it looks like the
malware authors corrected the header in later samples.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NewPosThings CNC
Beacon"; flow:established,to_server; content:"POST"; http_method;
content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 7.0b|3b| Windows NT
6.0)";  fast_pattern:41,20; http_header; content:"cs="; http_client_body;
content:"&p="; http_client_body; content:"&m="; http_client_body;
reference:md5,ae9899722707fc2c9716138580787026; reference:url,
arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/;
classtype:trojan-activity; sid:xxxx; rev:1; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NewPosThings
Data Exfiltration"; flow:established,to_server; content:"POST";
http_method; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE
7.0b|3b| Windows NT 6.0)"; fast_pattern:41,20; http_header; content:"cs=";
http_client_body; content:"&m="; http_client_body; content:"&ls=";
http_client_body; reference:md5,4196c67648003a18f61573a77b6d3be6;
reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/;
classtype:trojan-activity; sid:xxxx; rev:1; )

*Jake Warren *
www.masergy.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140918/4c9e031a/attachment.html>


More information about the Emerging-sigs mailing list