[Emerging-Sigs] UDPoS

Attack Detection attackdetectionteam at gmail.com
Tue Feb 27 08:24:35 HST 2018


Hi, we wrote a signature for UDPoS by analyzing the algorithm for
encrypting the transmitted data and splitting it into parts. In short,
there is a DNS tunnel.

alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"[PT MALWARE]
Win.Trojan.UDPoS Checkin";
flow: to_server;dsize:>135;
content:"|0F|";
content:"|03|bin"; distance:15; within: 4; fast_pattern;
content:!"000"; distance:0;
pcre:"/(?:\x1e[a-f0-9]{30}){4}/R";
classtype:trojan-activity;
threshold:type threshold, track by_dst, count 10 , seconds 5;
metadata: id_497867,created_at 2018_2_27;
sid: 10002615; rev:1;)

Report:
https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns

Analysis:
https://www.hybrid-analysis.com/sample/9d3f6e81ac27533f8f57d000be414b072f2381906917afa8c935ae0c6cecc367/?environmentId=100
https://www.hybrid-analysis.com/sample/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf?environmentId=100

PCAP:
https://www.dropbox.com/sh/7xr7khr8r1dt1ds/AAAFycZTRRzC0MdVH4rRAVlYa?dl=0

Best regards,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180227/e539f530/attachment.html>


More information about the Emerging-sigs mailing list