[Emerging-Sigs] Upatre change

Darien Huss dhuss at emergingthreats.net
Mon Sep 22 09:27:08 EDT 2014


NP, thanks! I haven't looked into this too deeply yet, but as far as I can
tell this should be pretty well covered by these two sigs: 2018635,
2018394. Did you happen to see some traffic that we were missing with those
two? The problem with covering Upatre via UA specific sigs is there are so
many different UAs, and they seem to change occasionally. At first glance
as well the snort version for this may need modified to work on off-HTTP
ports (the reference MD5 did some GETs to TCP:17909).

Regards,
Darien

On Mon, Sep 22, 2014 at 8:49 AM, Steve Eskew <SEskew at jackhenry.com> wrote:

>  Just saw an error in the first one.  What I get for working late.
>
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Upatre Suspicious User-Agent (Installer) with IP Host";
> flow:established,to_server; content:"User-Agent|3a20|Installer|0d0a|;
> nocase; http_header; pcre:
> "/^User\x2dAgent\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi";
> reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity;
> sid:xxxxxx; rev:1;)
>
>
>
> Packet Sleuth
>
>
>
>
>
> *From:* emerging-sigs-bounces at lists.emergingthreats.net [mailto:
> emerging-sigs-bounces at lists.emergingthreats.net] *On Behalf Of *Darien
> Huss
> *Sent:* Monday, September 22, 2014 7:33 AM
> *To:* Packet Sleuth
> *Cc:* Emerging Sigs
> *Subject:* Re: [Emerging-Sigs] Upatre change
>
>
>
> Thanks, we'll take a look at these and get them into QA!
>
> Regards,
> Darien
>
>
>
> On Mon, Sep 22, 2014 at 8:28 AM, Packet Sleuth <p4ck37sleuth at gmail.com>
> wrote:
>
>  Attempted to send this late Friday, but it failed.  Wanted to get it
> in.  Haven't had time to test them yet.  This is being reported as Upatre
> by some of the AV vendors when submitted to Virus Total.
>
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Upatre Suspicious User-Agent (Installer) with IP Host";
> flow:established,to_server; content:"User-Agent|3a20|Installer|0d0a|;
> nocase; http_header; pcre:
> "/^User\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi";
> reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity;
> sid:xxxxxx; rev:1;)
>
>
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> Upatre downloading purported Tar file"; flow:to_client,established;
> content: "Content-Type|3a20|application/x-tar|0d0a|; nocase; http_header;
> content: "Vary|3a20|"; nocase; http_header; pcre:
> "/Vary\x3a\x20(Accept-Encoding,)?User-Agent\r\n\r\n/Hi";
> reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype: trojan-activity;
> sid:xxxxxx; rev:1;)
>
>
>
> Regards,
>
> Packet Sleuth
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
> NOTICE: This electronic mail message and any files transmitted with it are
> intended
> exclusively for the individual or entity to which it is addressed. The
> message,
> together with any attachment, may contain confidential and/or privileged
> information.
> Any unauthorized review, use, printing, saving, copying, disclosure or
> distribution
> is strictly prohibited. If you have received this message in error, please
> immediately advise the sender by reply email and delete all copies.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140922/3ca5aa8f/attachment.html>


More information about the Emerging-sigs mailing list