[Emerging-Sigs] Emerging-sigs Digest, Vol 147, Issue 19

Escudero, Ferdinand feescudero at ucsd.edu
Fri Feb 14 06:39:18 HST 2020


Hi Jack,
    I see the negation of the .eset.con content after the ruleset update but it is still trigger on  i[1234]4.c.eset.com domains.  
Anyone else seeing this?

Thanks for the help,

Ferdie Escudero
Security Operations Group
Information Technology Services(ITS)
University of California San Diego



Send Emerging-sigs mailing list submissions to
	emerging-sigs at lists.emergingthreats.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://urldefense.com/v3/__https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs__;!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1y12CK_FouJQmt08ftdr7yQKk9XA$
or, via email, send a message with subject or body 'help' to
	emerging-sigs-request at lists.emergingthreats.net

You can reach the person managing the list at
	emerging-sigs-owner at lists.emergingthreats.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of Emerging-sigs digest..."


Today's Topics:

   1. Re: KBot C2 Sig (Jack Mott)


----------------------------------------------------------------------

Message: 1
Date: Wed, 12 Feb 2020 09:13:18 -0700
From: Jack Mott <jmott at emergingthreats.net>
To: elhijo at 0lim.net
Cc: Brad Woodberg <bwoodberg at proofpoint.com>,
	"emerging-sigs at emergingthreats.net"
	<emerging-sigs at emergingthreats.net>,  Support Redirect
	<support at emergingthreats.net>
Subject: Re: [Emerging-Sigs] KBot C2 Sig
Message-ID:
	<CAHHK96Fkxr6A+yCxsb6KQsEO6BbiGJZXH1-dGJY8SKbV7_dBow at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hi All,

A new copy of the ruleset was just pushed which contains an update to
2820288 which reflects the proper negation.

Please let us know if you continue to see problems, and thank you to all who reached out to let us know what you're seeing.

Best,

Jack

On Wed, Feb 12, 2020 at 8:53 AM <elhijo at 0lim.net> wrote:

> Hi Brad,
>
> the last one was sent with my newly registered account 
> elhijo at illum-mg.fr
>
> There only was a text and an attachment with a json zeek logs file, 
> I've tried to tar the json file but had same issue.
>
> It have been sent from 83.167.32.54 around 16:30
>
> Cheers,
> David
>
> February 12, 2020 4:44 PM, "Brad Woodberg" <bwoodberg at proofpoint.com 
> <bwoodberg at proofpoint.com?to=%22Brad%20Woodberg%22%20%3Cbwoodberg at proo
> fpoint.com%3E>>
> wrote:
>
> Hi David,
>
> I tested the portal and could not reproduce the issue, nor have we 
> received any other reports. If you can provide the details of what you 
> entered that would be helpful. I’ll let the team speak to the 
> signature itself.
>
> *Brad Woodberg *l Group Product Manager - Emerging Threats, TAP 
> Campaigns
>
> Proofpoint, Inc.
>
> E: bwoodberg at proofpoint.com
>
> [image: id:image001.png at 01D285E1.0101B2B0] 
> <http://www.proofpoint.com/>
>
> threat protection l compliance l archiving & governance l secure 
> communication
>
> *From: *Emerging-sigs 
> <emerging-sigs-bounces at lists.emergingthreats.net>
> on behalf of "elhijo at 0lim.net" <elhijo at 0lim.net>
> *Date: *Wednesday, February 12, 2020 at 10:39 AM
> *To: *"emerging-sigs at emergingthreats.net" < 
> emerging-sigs at emergingthreats.net>
> *Subject: *Re: [Emerging-Sigs] KBot C2 Sig
>
> Hi,
>
> was trying to send you same issue through ET feedback webpage but I 
> get bad gateway error every time I submit my request.
>
> sid:2820288
>
> All alerts linked to i[1234]4.c.eset.com
>
> Cheers,
>
> David
>
>
> February 12, 2020 4:30 PM, "Stuart Gonzalez" <stu at perchsecurity.com 
> <stu at perchsecurity.com?to=%22Stuart%20Gonzalez%22%20%3cstu at perchsecuri
> ty.com%3e>>
> wrote:
>
> Hi Team,
>
> Looking through this sig and wondering if the content match for “.eset.com”
> should have been negated. I reviewed the references, as well as, other 
> malware repos for this malware and found no indication C2 traffic 
> destined for eset subdomains.
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN 
> Bolek/Kbot CnC Checkin"; flow:established,to_server; urilen:1; 
> content:"POST"; http_method; 
> pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; 
> content:".eset.com"; http_host; isdataat:!1,relative; 
> http_header_names; content:"|0d 0a|Host|0d
> 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:36; fast_pattern;
> content:!"Accept"; content:!"Referer"; metadata: former_category 
> MALWARE; reference:md5,24a497e3993289168455f12d11f0430f;
> reference:md5,2d7ce4c681bdbddf4ab2740f5fb589dc; 
> classtype:trojan-activity; sid:2820288; rev:5; metadata:created_at 
> 2016_05_20, updated_at 2020_02_11;)
>
> https://urldefense.com/v3/__https://securelist.com/kbot-sometimes-they
> -come-back/96157/__;!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1y1
> 2CK_FouJQmt08ftdr4SDG920g$ 
> <https://urldefense.com/v3/__https:/securelist.com/kbot-sometimes-they
> -come-back/96157/__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-m
> JU6CqeIrxM0tSLw7aXLrZoBs2afswfOFXJM%24>
>
>
> https://urldefense.com/v3/__https://www.virustotal.com/gui/file/406a4f
> cb391cc8098d1a6578e2609c21f0f59ca2386f926e3438c57e4549c966/behavior/Vi
> rusTotal*20Cuckoofork__;JQ!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfP
> dWe1y12CK_FouJQmt08ftdr6T7X-Jmw$ 
> <https://urldefense.com/v3/__https:/www.virustotal.com/gui/file/406a4f
> cb391cc8098d1a6578e2609c21f0f59ca2386f926e3438c57e4549c966/behavior/Vi
> rusTotal*20Cuckoofork__;JQ!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2L
> mz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs0dE7LiA%24>
>
> [image: PERCH]
> <https://urldefense.com/v3/__http:/perchsecurity.com__;!!ORgEfCBsr282F
> w!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs0rDxOMx
> %24>
>
> *Stuart Gonzalez* / Chief Bot Officer
> stu at perchsecurity.com / 713.591.1602
>
> *PERCH*
> perchsecurity.com
> <https://urldefense.com/v3/__https:/perchsecurity.com__;!!ORgEfCBsr282
> Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs-VGCy0
> A%24>
> | Perch Blog
> <https://urldefense.com/v3/__http:/www.perchsecurity.com/blog__;!!ORgE
> fCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2a
> fs0ySdime%24>
> | Product Support <help at perchsecurity.com> | SOC Operations
> <soc at perchsecurity.com>
>
> [image: Twitter]
> <https://urldefense.com/v3/__https:/twitter.com/perchsecurity__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs2F_T-3c%24>[image:
> https://urldefense.com/v3/__https://s3.amazonaws.com/htmlsig-assets/sp
> acer.gif**Aimage__;XVs!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1
> y12CK_FouJQmt08ftdr5zN1Jcmg$ : LinkedIn]
> <https://urldefense.com/v3/__https:/www.linkedin.com/company/perchsecurity/__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs08s1wqf%24>[image:
> https://urldefense.com/v3/__https://s3.amazonaws.com/htmlsig-assets/sp
> acer.gif**Aimage__;XVs!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1
> y12CK_FouJQmt08ftdr5zN1Jcmg$ : Subscribe to our blog!] 
> <https://urldefense.com/v3/__https:/perchsecurity.com/perch-news/index
> .xml__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tS
> Lw7aXLrZoBs2afs_dNq7tG%24>
>
> This e-mail message may contain confidential or legally privileged 
> information and is intended only for the use of the intended recipient(s).
> Any unauthorized disclosure, dissemination, distribution, copying or 
> the taking of any action in reliance on the information herein is prohibited.
> E-mails are not secure and cannot be guaranteed to be error free as 
> they can be intercepted, amended, or contain viruses. Anyone who 
> communicates with us by e-mail is deemed to have accepted these risks. 
> Perch Security is not responsible for errors or omissions in this 
> message and denies any responsibility for any damage arising from the 
> use of e-mail. Any opinion and other statement contained in this 
> message and any attachment are solely those of the author and do not necessarily represent those of the company.
>
>
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://urldefense.com/v3/__https://lists.emergingthreats.net/mailman/
> listinfo/emerging-sigs__;!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPd
> We1y12CK_FouJQmt08ftdr7yQKk9XA$
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro 
> https://urldefense.com/v3/__http://www.emergingthreats.net__;!!Mih3wA!
> RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1y12CK_FouJQmt08ftdr5BxFEENg$
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://urldefense.com/v3/__http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200212/530b0bfa/attachment.html__;!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1y12CK_FouJQmt08ftdr5ED7Anxg$ >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10808 bytes
Desc: not available
URL: <https://urldefense.com/v3/__http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200212/530b0bfa/attachment.png__;!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1y12CK_FouJQmt08ftdr6PTUzoPg$ >

------------------------------

Subject: Digest Footer

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net
https://urldefense.com/v3/__https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs__;!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1y12CK_FouJQmt08ftdr7yQKk9XA$ 


------------------------------

End of Emerging-sigs Digest, Vol 147, Issue 19
**********************************************


More information about the Emerging-sigs mailing list