[Emerging-Sigs] NewPosThings Sigs

Darien Huss dhuss at emergingthreats.net
Thu Sep 18 17:27:39 EDT 2014


Thanks Jake, we'll get these into QA! They will go out tomorrow if all is
well.

Regards,
Darien

On Thu, Sep 18, 2014 at 5:23 PM, Jake Warren <jake.warren at masergy.com>
wrote:

> A couple of sigs for the NewPosThings PoS malware.
>
> I was going to roll with a fast pattern on the "Accept" http header
> (content:"Accept|3a 20 3f 2a|"; fast_pattern:only; ) but it looks like the
> malware authors corrected the header in later samples.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NewPosThings
> CNC Beacon"; flow:established,to_server; content:"POST"; http_method;
> content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 7.0b|3b| Windows NT
> 6.0)";  fast_pattern:41,20; http_header; content:"cs="; http_client_body;
> content:"&p="; http_client_body; content:"&m="; http_client_body;
> reference:md5,ae9899722707fc2c9716138580787026; reference:url,
> arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/;
> classtype:trojan-activity; sid:xxxx; rev:1; )
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NewPosThings
> Data Exfiltration"; flow:established,to_server; content:"POST";
> http_method; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE
> 7.0b|3b| Windows NT 6.0)"; fast_pattern:41,20; http_header; content:"cs=";
> http_client_body; content:"&m="; http_client_body; content:"&ls=";
> http_client_body; reference:md5,4196c67648003a18f61573a77b6d3be6;
> reference:url,
> arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/;
> classtype:trojan-activity; sid:xxxx; rev:1; )
>
> *Jake Warren *
> www.masergy.com
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140918/a50d16d2/attachment.html>


More information about the Emerging-sigs mailing list