[Emerging-Sigs] Upatre change

Steve Eskew SEskew at jackhenry.com
Mon Sep 22 12:08:07 EDT 2014


I think you may be correct.  It looks like my sensor was having issues.  Sorry for the distraction.

Regards,
Packet Sleuth

From: Darien Huss [mailto:dhuss at emergingthreats.net]
Sent: Monday, September 22, 2014 8:27 AM
To: Steve Eskew
Cc: Packet Sleuth; Emerging Sigs
Subject: Re: [Emerging-Sigs] Upatre change

NP, thanks! I haven't looked into this too deeply yet, but as far as I can tell this should be pretty well covered by these two sigs: 2018635, 2018394. Did you happen to see some traffic that we were missing with those two? The problem with covering Upatre via UA specific sigs is there are so many different UAs, and they seem to change occasionally. At first glance as well the snort version for this may need modified to work on off-HTTP ports (the reference MD5 did some GETs to TCP:17909).
Regards,
Darien

On Mon, Sep 22, 2014 at 8:49 AM, Steve Eskew <SEskew at jackhenry.com<mailto:SEskew at jackhenry.com>> wrote:
Just saw an error in the first one.  What I get for working late.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre Suspicious User-Agent (Installer) with IP Host"; flow:established,to_server; content:"User-Agent|3a20|Installer|0d0a|; nocase; http_header; pcre: "/^User\x2dAgent\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity; sid:xxxxxx; rev:1;)

Packet Sleuth


From: emerging-sigs-bounces at lists.emergingthreats.net<mailto:emerging-sigs-bounces at lists.emergingthreats.net> [mailto:emerging-sigs-bounces at lists.emergingthreats.net<mailto:emerging-sigs-bounces at lists.emergingthreats.net>] On Behalf Of Darien Huss
Sent: Monday, September 22, 2014 7:33 AM
To: Packet Sleuth
Cc: Emerging Sigs
Subject: Re: [Emerging-Sigs] Upatre change

Thanks, we'll take a look at these and get them into QA!

Regards,
Darien

On Mon, Sep 22, 2014 at 8:28 AM, Packet Sleuth <p4ck37sleuth at gmail.com<mailto:p4ck37sleuth at gmail.com>> wrote:
Attempted to send this late Friday, but it failed.  Wanted to get it in.  Haven't had time to test them yet.  This is being reported as Upatre by some of the AV vendors when submitted to Virus Total.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre Suspicious User-Agent (Installer) with IP Host"; flow:established,to_server; content:"User-Agent|3a20|Installer|0d0a|; nocase; http_header; pcre: "/^User\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity; sid:xxxxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Upatre downloading purported Tar file"; flow:to_client,established; content: "Content-Type|3a20|application/x-tar|0d0a|; nocase; http_header; content: "Vary|3a20|"; nocase; http_header; pcre: "/Vary\x3a\x20(Accept-Encoding,)?User-Agent\r\n\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype: trojan-activity; sid:xxxxxx; rev:1;)

Regards,
Packet Sleuth

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net<mailto:Emerging-sigs at lists.emergingthreats.net>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net


NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.

NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140922/8796e7a1/attachment.html>


More information about the Emerging-sigs mailing list