[Emerging-Sigs] False Positive [ET] , ET TROJAN MWI Maldoc Stats Callout Aug 18

Maxim Maxim.Parpaley at netwatcher.com
Thu Dec 7 00:56:33 HST 2017


Hello,

We are dealing with FP for ET TROJAN MWI Maldoc Stats Callout Aug 18

Suggestion:

False Positive: YES

-          sellercore.com sells templates for auction postings. This is likely a word template which calls out to the triggering URL.

-          curl against the URL with the same User-Agent returns identical content.

-          The associated picture/business has an ebay presence.

-          Many other business have similar images on sellercore.com.

PCAP:

GET /image.php?id=17262 HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.8625; Microsoft Outlook 16.0.8625; ms-office; MSOffice 16)
Accept-Encoding: gzip, deflate
Host: sellercore.com
Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=iso-8859-1
Content-Length: 249
Connection: keep-alive
Keep-Alive: timeout=15
Date: Wed, 06 Dec 2017 17:36:43 GMT
Server: Apache
Location: https://sellercore.com/image.php?id=17262
Cache-Control: max-age=2592000
Expires: Fri, 05 Jan 2018 17:36:43 GMT

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://sellercore.com/image.php?id=17262">here</a>.</p>
</body></html>



Thank you,
Best Regards,
Maxim


From: Jason Williams [mailto:jwilliams at emergingthreats.net]
Sent: Wednesday, December 6, 2017 5:34 PM
To: Maxim <Maxim.Parpaley at netwatcher.com>
Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 121, Issue 5

A fix for this will go out with today's release. Please let me know if you continue to see FPs on this guy.

Thanks!

Jason

On Wed, Dec 6, 2017 at 5:31 AM, Maxim <Maxim.Parpaley at netwatcher.com<mailto:Maxim.Parpaley at netwatcher.com>> wrote:
Hello,

Looks like we are dealing with FP for:
TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity Check

During simple request to  support.microsoft.com<http://support.microsoft.com> rule triggers .

PCAP details:

GET /kb/949104 HTTP/1.1
Host: support.microsoft.com<http://support.microsoft.com>
Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently
Server: AkamaiGHost
Content-Length: 0
Location: https://support.microsoft.com/kb/949104
Expires: Wed, 06 Dec 2017 10:20:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 06 Dec 2017 10:20:59 GMT
Connection: keep-alive
Set-Cookie: sXXXXXX; path=/; domain=.microsoft.com<http://microsoft.com>



Thank you,
Best Regards
Maxim

-----Original Message-----
From: Emerging-sigs [mailto:emerging-sigs-bounces at lists.emergingthreats.net<mailto:emerging-sigs-bounces at lists.emergingthreats.net>] On Behalf Of emerging-sigs-request at lists.emergingthreats.net<mailto:emerging-sigs-request at lists.emergingthreats.net>
Sent: Wednesday, December 6, 2017 9:57 AM
To: emerging-sigs at lists.emergingthreats.net<mailto:emerging-sigs at lists.emergingthreats.net>
Subject: Emerging-sigs Digest, Vol 121, Issue 5

Send Emerging-sigs mailing list submissions to
        emerging-sigs at lists.emergingthreats.net<mailto:emerging-sigs at lists.emergingthreats.net>

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
or, via email, send a message with subject or body 'help' to
        emerging-sigs-request at lists.emergingthreats.net<mailto:emerging-sigs-request at lists.emergingthreats.net>

You can reach the person managing the list at
        emerging-sigs-owner at lists.emergingthreats.net<mailto:emerging-sigs-owner at lists.emergingthreats.net>

When replying, please edit your Subject line so it is more specific than "Re: Contents of Emerging-sigs digest..."


Today's Topics:

   1. Announcing Suricata-Update (Jason Ish)
   2. Daily Ruleset Update Summary 2017/12/05 (Travis Green)
   3. Rules for detect Oneplus sending data to  open.oneplus.net<http://open.oneplus.net>
      (Arnold Chan)
   4. Suricata 3.2.5 released (Victor Julien)


----------------------------------------------------------------------

Message: 1
Date: Tue, 5 Dec 2017 14:00:54 -0600
From: Jason Ish <ish at unx.ca<mailto:ish at unx.ca>>
To: emerging-sigs at lists.emergingthreats.net<mailto:emerging-sigs at lists.emergingthreats.net>
Subject: [Emerging-Sigs] Announcing Suricata-Update
Message-ID: <e63250ec-583f-fa45-b8ab-33aff850813f at unx.ca<mailto:e63250ec-583f-fa45-b8ab-33aff850813f at unx.ca>>
Content-Type: text/plain; charset=utf-8; format=flowed

We are excited to announce the first alpha release of our new tool for updating Suricata rules. This is a new rule update tool specifically built for Suricata with a goal of being useful out of the box, even with no configuration.

This release also introduces the Suricata Intel Index, which is currently a list of available rule sources which Suricata-Update is aware of. The idea here is to make it easier for users to find available rule sets, as well as allowing rule writers to make their rules more discoverable.

Features include:

  * Default to Emerging Threats Open ruleset if no configuration
    provided.
  * Automatic discovery of Suricata version for use in ruleset URLs.
  * Flowbit resolution
  * Enable, disable, drop and modify filters that should be familiar to
    users of Pulled Pork and Oinkmaster.
  * Easy enabling of additional rule sets from the index.

We invite all interested users to checkout the Quick Start documentation, and leave us feedback on the Suricata-Update issue tracker.

If you are a rule writer and would like to get listed in the index, please leave a ticket in the issue tracker.

Quick Start Documentation
   http://suricata-update.readthedocs.io/en/1.0.0a1/quickstart.html

Github Project Page
   https://github.com/OISF/suricata-update

Issue Tracker
   https://redmine.openinfosecfoundation.org/projects/suricata-update

--
Jason Ish


------------------------------

Message: 2
Date: Tue, 5 Dec 2017 15:37:57 -0700
From: Travis Green <tgreen at emergingthreats.net<mailto:tgreen at emergingthreats.net>>
To: "emerging-sigs at emergingthreats.net<mailto:emerging-sigs at emergingthreats.net>"
        <emerging-sigs at emergingthreats.net<mailto:emerging-sigs at emergingthreats.net>>,  Emerging-updates redirect
        <emerging-updates at emergingthreats.net<mailto:emerging-updates at emergingthreats.net>>,  ETPro-sigs List
        <etpro-sigs at emergingthreatspro.com<mailto:etpro-sigs at emergingthreatspro.com>>
Subject: [Emerging-Sigs] Daily Ruleset Update Summary 2017/12/05
Message-ID:
        <CAKgkF6nsiN77cAnLDO4YebM-3ZNUEmLEYF8ojiO+M_D8KEyQng at mail.gmail.com<mailto:CAKgkF6nsiN77cAnLDO4YebM-3ZNUEmLEYF8ojiO%2BM_D8KEyQng at mail.gmail.com>>
Content-Type: text/plain; charset="utf-8"

[***]            Summary:            [***]

4 new Open, 18 new Pro (4 + 14). SluttyPutty UA, Smoke Loader Update,
Reaver C2, Various Phishing, Various Mobile.

Thanks: @AttackDetection

[+++]          Added rules:          [+++]

Open:

 2025118 - ET TROJAN Observed SluttyPutty Maldoc User-Agent (trojan.rules)
 2025119 - ET TROJAN Sharik/Smoke CnC Beacon 7 (trojan.rules)
 2025120 - ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity
check (trojan.rules)
 2025121 - ET TROJAN MewsSpy.AE Onion Domain (cxkefbwo7qcmlelb in DNS
Lookup) (trojan.rules)

Pro:

 2828789 - ETPRO TROJAN Reaver C2 Checkin Command (trojan.rules)
 2828790 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.gen CnC
Beacon (mobile_malware.rules)
 2828791 - ETPRO MOBILE_MALWARE Android/Guerrilla.AM Checkin
(mobile_malware.rules)
 2828792 - ETPRO MOBILE_MALWARE Android/SMForw.RA SMS Exfil via SMTP
(mobile_malware.rules)
 2828793 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff Reporting
Infection via SMTP (mobile_malware.rules)
 2828794 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.kj Contact
Exfil via SMTP (mobile_malware.rules)
 2828795 - ETPRO TROJAN Observed Malicious SSL Cert (Likely Pentester CnC)
(trojan.rules)
 2828796 - ETPRO TROJAN Molerats/GazaHacker Checkin M2 (trojan.rules)
 2828797 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-05 1) (trojan.rules)
 2828798 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-05 2) (trojan.rules)
 2828799 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-05 3) (trojan.rules)
 2828800 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-05 4) (trojan.rules)
 2828801 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-05 5) (trojan.rules)
 2828802 - ETPRO CURRENT_EVENTS Successful Chase Phish 2017-12-05
(current_events.rules)


[///]     Modified active rules:     [///]

 2017060 - ET EXPLOIT SolusVM 1.13.03 SQL injection (exploit.rules)


[---]         Removed rules:         [---]

 2814971 - ETPRO TROJAN Liudoor Handshake Init (trojan.rules)
 2814972 - ETPRO TROJAN Liudoor Handshake Successful (trojan.rules)
 2814973 - ETPRO TROJAN Liudoor Sending Shell (trojan.rules)
 2814974 - ETPRO TROJAN Liudoor Handshake Failed (trojan.rules)
 2821585 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Congur.al<http://Trojan-Ransom.AndroidOS.Congur.al> Checkin
(mobile_malware.rules)


--
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171205/ef9a3bda/attachment-0001.html>

------------------------------

Message: 3
Date: Wed, 6 Dec 2017 12:40:16 +1100
From: Arnold Chan <arnold at midnightslayer.com<mailto:arnold at midnightslayer.com>>
To: Emerging-sigs at lists.emergingthreats.net<mailto:Emerging-sigs at lists.emergingthreats.net>
Subject: [Emerging-Sigs] Rules for detect Oneplus sending data to
        open.oneplus.net<http://open.oneplus.net>
Message-ID:
        <CAMOON1K3ha_G66c=c+nEMpJawgrz-jLDam+d2L3Xmd5COfr0Bg at mail.gmail.com<mailto:c%2BnEMpJawgrz-jLDam%2Bd2L3Xmd5COfr0Bg at mail.gmail.com>>
Content-Type: text/plain; charset="utf-8"

Hi,

Is that possible to create rules that'll be useful to detect OnePlus phone
that possible trigger the data leakage dns (Oneplus sending data to
open.oneplus.net<http://open.oneplus.net>)?

https://thehackernews.com/2017/10/oneplus-oxygenos-analytics-data.html
https://thehackernews.com/2017/11/oneplus-root-exploit.html


I recall there's something similar for Xiaomi phone data leakage DNS policy
rule.

alert udp any any -> any 53 (msg:"ET POLICY possible Xiaomi phone data
leakage DNS"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10;
offset:2; content:"|03|api|07|account|06|xiaomi|03|com|00|"; fast_pattern;
nocase; distance:0; reference:url,
thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html<http://thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html>;
classtype:policy-violation; sid:2018918; rev:1; metadata:created_at
2014_08_11, updated_at 2014_08_11;)



Kind Regards,

Arnold

IMPORTANT: This email and any attachments may be confidential and
privileged. If you have received this email in error, please contact the
sender and delete all copies immediately. Any unauthorised use,
dissemination, forwarding, printing, or copying of this email is strictly
prohibited. This communication may contain confidential or copyright
information.

[image: Tree] Think before you print.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171206/477395dd/attachment-0001.html>

------------------------------

Message: 4
Date: Wed, 6 Dec 2017 08:56:52 +0100
From: Victor Julien <victor at inliniac.net<mailto:victor at inliniac.net>>
To: "emerging-sigs at emergingthreats.net<mailto:emerging-sigs at emergingthreats.net>"
        <Emerging-sigs at emergingthreats.net<mailto:Emerging-sigs at emergingthreats.net>>
Subject: [Emerging-Sigs] Suricata 3.2.5 released
Message-ID: <1dd8611c-e566-58f9-600e-962bf8ed8b41 at inliniac.net<mailto:1dd8611c-e566-58f9-600e-962bf8ed8b41 at inliniac.net>>
Content-Type: text/plain; charset=utf-8

We're pleased to announce *Suricata 3.2.5*. This release fixes a number
of issues.

Get the release here:
https://www.openinfosecfoundation.org/download/suricata-3.2.5.tar.gz

This will be the last 3.2 release, as 3.2 will go 'end of life' later
this month.


*Changes*

Bug #2328: detect: mixing byte_extract and isdataat leads to FP & FN (3.2.x)
Bug #2329: various config parsing issues
Bug #2330: rules: depth < content rules not rejected (3.2.x)
Bug #2331: Suricata segfaults on ICMP and flowint check (3.2.x)


*Special thanks*

Wolfgang Hotwagner
Harley H
Edward Fjellskål


*End of life announcement*

The 3.2 branch will be end-of-life on December 18. After this it will
receive no more updates of any kind, so please plan for your upgrade to
Suricata 4.0+ before that date.

https://suricata-ids.org/about/eol-policy/


*About Suricata*

Suricata is a high performance Network Threat Detection, IDS, IPS and
Network Security Monitoring engine. Open Source and owned by a community
run non-profit foundation, the Open Information Security Foundation
(OISF). Suricata is developed by the OISF, its supporting vendors and
the community.

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



------------------------------

Subject: Digest Footer

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net<mailto:Emerging-sigs at lists.emergingthreats.net>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


------------------------------

End of Emerging-sigs Digest, Vol 121, Issue 5
*********************************************
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net<mailto:Emerging-sigs at lists.emergingthreats.net>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171207/ec163de7/attachment-0001.html>


More information about the Emerging-sigs mailing list