[Emerging-Sigs] False positive. ET TROJAN DirectsX Checkin Response. TightVNC

Travis Green tgreen at emergingthreats.net
Wed Jan 17 07:04:27 HST 2018


Maxim,
Thanks for letting us know, we'll see if there's any way to fix this.

Best regards,
-Travis

On Wed, Jan 17, 2018 at 6:03 AM, Maxim <Maxim.Parpaley at netwatcher.com>
wrote:

> Hello,
>
> Not sure we can eliminate this FP, but at least want let you know that
> during TightVNC remote session  signature 2019633 tripped.
>
> PCAP is too big , I want to share Netflow :
>
> Source                70.x.x.x (United States)  5912    6c:41:6a:1e:dc:cd
> (Cisco)                                    xxxxxx.ccc.cccc.rr.com
> Destination     10.3.212.146 (local)    51640   8c:ae:4c:f3:d5:05
> (Plugable Technologies)       rtp-lap-39 rtp-lap-39-
>
>
> Thank you,
> Best Regards,
> Maxim
>
>  -----Original Message-----
> From: Emerging-sigs [mailto:emerging-sigs-bounces@
> lists.emergingthreats.net] On Behalf Of emerging-sigs-request at lists.
> emergingthreats.net
> Sent: Wednesday, January 17, 2018 1:07 AM
> To: emerging-sigs at lists.emergingthreats.net
> Subject: Emerging-sigs Digest, Vol 122, Issue 13
>
> Send Emerging-sigs mailing list submissions to
>         emerging-sigs at lists.emergingthreats.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> or, via email, send a message with subject or body 'help' to
>         emerging-sigs-request at lists.emergingthreats.net
>
> You can reach the person managing the list at
>         emerging-sigs-owner at lists.emergingthreats.net
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of Emerging-sigs digest..."
>
>
> Today's Topics:
>
>    1. Trojan.Downloader (Attack Detection)
>    2. Re: Trojan.Downloader (Jason Williams)
>    3. Daily Ruleset Update Summary 2018/01/16 (Travis Green)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 16 Jan 2018 21:55:58 +0300
> From: Attack Detection <attackdetectionteam at gmail.com>
> To: emerging-sigs at lists.emergingthreats.net
> Subject: [Emerging-Sigs] Trojan.Downloader
> Message-ID:
>         <CALJOUfYK+E7SO2KrssdUDf7hAoW1zDJ7OR6nd_zASOZ_DD=
> JwQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi, interested downloader found.
>     Obfuscated VBA stager, includes the code of binary file http
> downloader, also equipped with the function of detecting virtual machines,
> and many interesting things, look at the pastebin link.
>
> Signatures:
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN
> [PTsecurity] Trojan.Downloader VBA Script obfuscation (binary_getter)";flow:
> established, to_client;  content:"200"; http_stat_code; file_data;content:
> "(Chr((((asc(Mid("; depth: 300;content:
> ",1,1))-65))*25+(asc(Mid(";within:100;content:
> ",2,1))-65)-";within:100;threshold: type limit, track by_src, count 1,
> seconds 30; classtype: trojan-activity; metadata: id_421251,created_at
> 2017_12_22;sid: 10002341; rev: 1;)
>
> alert http $HOME_NET any -> $EXTERNAL_NET any  (msg: "ET TROJAN
> [PTsecurity] Trojan.Downloader UserAgent (binary_getter)";flow:
> established, to_server;
> content: "User-Agent: binary_getter"; http_header; classtype:
> trojan-activity; metadata: id_291409,created_at 2017_12_22;sid: 10002342;
> rev: 1;)
>
>
> Links:
> VBA binary_getter/1.0 source code:
> http://www.808.dk/?code-binarywinhttprequest
> Python decoder script: https://pastebin.com/1pLniq0A Downloader VBA
> script: https://pastebin.com/WkRrfEL4
> PCAPs:
> https://www.dropbox.com/sh/qtjhvff9hauicg3/AAC-s6PcmCx6qlGUxMCmVv67a?dl=0
>
> Best regards,
> John.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/
> attachments/20180116/e9efb02a/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 16 Jan 2018 13:14:03 -0600
> From: Jason Williams <jwilliams at emergingthreats.net>
> To: Attack Detection <attackdetectionteam at gmail.com>
> Cc: emerging-sigs <emerging-sigs at lists.emergingthreats.net>
> Subject: Re: [Emerging-Sigs] Trojan.Downloader
> Message-ID:
>         <CAPpdu9GZB8SSykVGxDt9NQCUYLVzEyA1znBu7V5rG+JrWuWF3w at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> John,
>
> Thanks! Will get these QA'd and hopefully out today.
>
> Jason
>
> On Tue, Jan 16, 2018 at 12:55 PM, Attack Detection <
> attackdetectionteam at gmail.com> wrote:
>
> > Hi, interested downloader found.
> >     Obfuscated VBA stager, includes the code of binary file http
> > downloader, also equipped with the function of detecting virtual
> > machines, and many interesting things, look at the pastebin link.
> >
> > Signatures:
> >
> > alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN
> > [PTsecurity] Trojan.Downloader VBA Script obfuscation
> (binary_getter)";flow:
> > established, to_client;  content:"200"; http_stat_code;
> file_data;content:
> > "(Chr((((asc(Mid("; depth: 300;content: ",1,1))-65))*25+(asc(Mid(";
> within:100;content:
> > ",2,1))-65)-";within:100;threshold: type limit, track by_src, count 1,
> > seconds 30; classtype: trojan-activity; metadata: id_421251,created_at
> > 2017_12_22;sid: 10002341; rev: 1;)
> >
> > alert http $HOME_NET any -> $EXTERNAL_NET any  (msg: "ET TROJAN
> > [PTsecurity] Trojan.Downloader UserAgent (binary_getter)";flow:
> > established, to_server; content: "User-Agent: binary_getter";
> > http_header;
> > classtype: trojan-activity; metadata: id_291409,created_at
> 2017_12_22;sid:
> > 10002342; rev: 1;)
> >
> >
> > Links:
> > VBA binary_getter/1.0 source code: http://www.808.dk/?code-
> > binarywinhttprequest Python decoder script:
> > https://pastebin.com/1pLniq0A Downloader VBA script:
> > https://pastebin.com/WkRrfEL4
> > PCAPs: https://www.dropbox.com/sh/qtjhvff9hauicg3/AAC-
> > s6PcmCx6qlGUxMCmVv67a?dl=0
> >
> > Best regards,
> > John.
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at lists.emergingthreats.net
> > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > http://www.emergingthreats.net
> >
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/
> attachments/20180116/57153835/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 16 Jan 2018 16:06:15 -0700
> From: Travis Green <tgreen at emergingthreats.net>
> To: "emerging-sigs at emergingthreats.net"
>         <emerging-sigs at emergingthreats.net>,  Emerging-updates redirect
>         <emerging-updates at emergingthreats.net>,  ETPro-sigs List
>         <etpro-sigs at emergingthreatspro.com>
> Subject: [Emerging-Sigs] Daily Ruleset Update Summary 2018/01/16
> Message-ID:
>         <CAKgkF6mo2Z8cMJ3=w94-evrdw1osF=Zvs1cJjdmsOQ-
> TiyLZMQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> [***]            Summary:            [***]
>
> 5 new Open, 55 new Pro (5 + 50). Possible APT28 DNS,OSX/Mami, Colony
> Rootkit, Various Phishing.
>
> Thanks: @MalwrHunterTeam
>
>
> [+++]          Added rules:          [+++]
>
> Open:
>
>  2025199 - ET TROJAN OSX/Mami CnC Checkin (trojan.rules)
>  2025200 - ET TROJAN OSX/Mami Possible DNS Query to Evil DNS Server
> (trojan.rules)
>  2025201 - ET TROJAN Observed Evrial Domain (cryptoclipper .ru in TLS SNI)
> (trojan.rules)
>  2025202 - ET TROJAN [PTsecurity] Trojan.Downloader VBA Script obfuscation
> (binary_getter) (trojan.rules)
>  2025203 - ET USER_AGENTS [PTsecurity] Possible Trojan.Downloader UserAgent
> (binary_getter) (user_agents.rules)
>
> Pro:
>
>  2828743 - ETPRO CURRENT_EVENTS Malicious VBScript Inbound
> (current_events.rules)
>  2829272 - ETPRO TROJAN Possible APT28 DNS Lookup (trojan.rules)
>  2829273 - ETPRO TROJAN Possible APT28 DNS Lookup (trojan.rules)
>  2829274 - ETPRO TROJAN Possible APT28 DNS Lookup (trojan.rules)
>  2829275 - ETPRO TROJAN Possible APT28 DNS Lookup (trojan.rules)
>  2829276 - ETPRO TROJAN Possible APT28 DNS Lookup (trojan.rules)
>  2829277 - ETPRO TROJAN APT28 DNS Lookup (trojan.rules)
>  2829278 - ETPRO TROJAN APT28 DNS Lookup (trojan.rules)
>  2829279 - ETPRO TROJAN APT28 DNS Lookup (trojan.rules)
>  2829280 - ETPRO TROJAN APT28 DNS Lookup (trojan.rules)
>  2829281 - ETPRO TROJAN APT28 DNS Lookup (trojan.rules)
>  2829282 - ETPRO TROJAN APT28 DNS Lookup (trojan.rules)
>  2829283 - ETPRO TROJAN APT28 DNS Lookup (trojan.rules)
>  2829284 - ETPRO TROJAN APT28 DNS Lookup (trojan.rules)
>  2829285 - ETPRO TROJAN APT28 DNS Lookup (trojan.rules)
>  2829286 - ETPRO TROJAN APT28 DNS Lookup (trojan.rules)
>  2829287 - ETPRO TROJAN APT28 DNS Lookup (trojan.rules)
>  2829288 - ETPRO TROJAN Colony Rootkit Downloader CnC Checkin
> (trojan.rules)
>  2829289 - ETPRO TROJAN Colony Rootkit Downloader Requesting Payload
> (trojan.rules)
>  2829290 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL)
> (trojan.rules)
>  2829291 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2018-01-16
> (current_events.rules)
>  2829292 - ETPRO CURRENT_EVENTS Successful Stripe Phish 2018-01-16
> (current_events.rules)
>  2829293 - ETPRO CURRENT_EVENTS Adobe Shared Document Phishing Landing
> 2018-01-16 (current_events.rules)
>  2829294 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
> 2018-01-16 (current_events.rules)
>  2829295 - ETPRO CURRENT_EVENTS Successful Facebook Help Center Phish
> 2018-01-16 (current_events.rules)
>  2829296 - ETPRO TROJAN MSIL/Backdoor.Magoo Retrieving Server Info
> (trojan.rules)
>  2829297 - ETPRO MALWARE MSIL/AdFraudClicker Activity M2 (malware.rules)
>  2829298 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2018-01-16
> (current_events.rules)
>  2829299 - ETPRO CURRENT_EVENTS Successful BNZ Internet Banking Phish
> 2018-01-16 (current_events.rules)
>  2829300 - ETPRO CURRENT_EVENTS Successful Oney (FR) Phish 2018-01-16 M1
> (current_events.rules)
>  2829301 - ETPRO CURRENT_EVENTS Successful Oney (FR) Phish 2018-01-16 M2
> (current_events.rules)
>  2829302 - ETPRO CURRENT_EVENTS Successful Optus Webmail Phish 2018-01-16
> (current_events.rules)
>  2829303 - ETPRO CURRENT_EVENTS Successful Smartsheet Phish 2018-01-16
> (current_events.rules)
>  2829304 - ETPRO TROJAN Compromised Legitimate Website Lazarus Group
> Downloader SSL Cert (trojan.rules)
>  2829305 - ETPRO CURRENT_EVENTS Successful Generic Mailbox Upgrade Phish
> 2018-01-16 (current_events.rules)
>  2829306 - ETPRO CURRENT_EVENTS Successful Microsoft/Hotmail Account Phish
> 2018-01-16 (current_events.rules)
>  2829307 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-16 1) (trojan.rules)
>  2829308 - ETPRO TROJAN MSIL/Remcos Variant CnC Checkin (trojan.rules)
>  2829309 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-16 2) (trojan.rules)
>  2829310 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-16 3) (trojan.rules)
>  2829311 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-16 4) (trojan.rules)
>  2829312 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-16 5) (trojan.rules)
>  2829313 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-16 7) (trojan.rules)
>  2829314 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-16 8) (trojan.rules)
>  2829315 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-16 10) (trojan.rules)
>  2829316 - ETPRO CURRENT_EVENTS Fedex Phishing Landing 2018-01-16
> (current_events.rules)
>  2829317 - ETPRO CURRENT_EVENTS Successful Fedex Phish 2018-01-16
> (current_events.rules)
>  2829318 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-16 6) (trojan.rules)
>  2829319 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-16 9) (trojan.rules)
>  2829320 - ETPRO CURRENT_EVENTS Successful Stripe Phish 2018-01-16
> (current_events.rules)
>
>
> [///]     Modified active rules:     [///]
>
>  2809267 - ETPRO TROJAN W32/TinyZBot Fake Resume Upload GET Request
> (Operation Cleaver) (trojan.rules)
>  2829000 - ETPRO TROJAN FormBook CnC Checkin (GET) (trojan.rules)
>
>
> [---]  Disabled and modified rules:  [---]
>
>  2814040 - ETPRO CURRENT_EVENTS Successful Wire Transfer Phish Sept 22 2015
> (current_events.rules)
>
>
> [---]         Removed rules:         [---]
>
>  2828743 - ETPRO TROJAN Malicious VBScript Inbound (trojan.rules)
>
>
> --
> PGP: 0xBED7B297
> <https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/
> attachments/20180116/8834c491/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> ------------------------------
>
> End of Emerging-sigs Digest, Vol 122, Issue 13
> **********************************************
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180117/2987407d/attachment-0001.html>


More information about the Emerging-sigs mailing list