[Emerging-Sigs] Emerging-sigs Digest, Vol 147, Issue 19

Jack Mott jmott at emergingthreats.net
Fri Feb 14 06:53:56 HST 2020


Hi Ferdie,

I am happy to look into this more. Can you send what rev of the rule, which
engine/version you're using, and a PCAP of traffic you're seeing firing on
this off-list to me?

Thanks!

Jack

On Fri, Feb 14, 2020 at 9:39 AM Escudero, Ferdinand via Emerging-sigs <
emerging-sigs at lists.emergingthreats.net> wrote:

> Hi Jack,
>     I see the negation of the .eset.con content after the ruleset update
> but it is still trigger on  i[1234]4.c.eset.com domains.
> Anyone else seeing this?
>
> Thanks for the help,
>
> Ferdie Escudero
> Security Operations Group
> Information Technology Services(ITS)
> University of California San Diego
>
>
>
> Send Emerging-sigs mailing list submissions to
>         emerging-sigs at lists.emergingthreats.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> https://urldefense.com/v3/__https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs__;!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1y12CK_FouJQmt08ftdr7yQKk9XA$
> or, via email, send a message with subject or body 'help' to
>         emerging-sigs-request at lists.emergingthreats.net
>
> You can reach the person managing the list at
>         emerging-sigs-owner at lists.emergingthreats.net
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of Emerging-sigs digest..."
>
>
> Today's Topics:
>
>    1. Re: KBot C2 Sig (Jack Mott)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 12 Feb 2020 09:13:18 -0700
> From: Jack Mott <jmott at emergingthreats.net>
> To: elhijo at 0lim.net
> Cc: Brad Woodberg <bwoodberg at proofpoint.com>,
>         "emerging-sigs at emergingthreats.net"
>         <emerging-sigs at emergingthreats.net>,  Support Redirect
>         <support at emergingthreats.net>
> Subject: Re: [Emerging-Sigs] KBot C2 Sig
> Message-ID:
>         <
> CAHHK96Fkxr6A+yCxsb6KQsEO6BbiGJZXH1-dGJY8SKbV7_dBow at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi All,
>
> A new copy of the ruleset was just pushed which contains an update to
> 2820288 which reflects the proper negation.
>
> Please let us know if you continue to see problems, and thank you to all
> who reached out to let us know what you're seeing.
>
> Best,
>
> Jack
>
> On Wed, Feb 12, 2020 at 8:53 AM <elhijo at 0lim.net> wrote:
>
> > Hi Brad,
> >
> > the last one was sent with my newly registered account
> > elhijo at illum-mg.fr
> >
> > There only was a text and an attachment with a json zeek logs file,
> > I've tried to tar the json file but had same issue.
> >
> > It have been sent from 83.167.32.54 around 16:30
> >
> > Cheers,
> > David
> >
> > February 12, 2020 4:44 PM, "Brad Woodberg" <bwoodberg at proofpoint.com
> > <bwoodberg at proofpoint.com?to=%22Brad%20Woodberg%22%20%3Cbwoodberg at proo
> > fpoint.com%3E>>
> > wrote:
> >
> > Hi David,
> >
> > I tested the portal and could not reproduce the issue, nor have we
> > received any other reports. If you can provide the details of what you
> > entered that would be helpful. I’ll let the team speak to the
> > signature itself.
> >
> > *Brad Woodberg *l Group Product Manager - Emerging Threats, TAP
> > Campaigns
> >
> > Proofpoint, Inc.
> >
> > E: bwoodberg at proofpoint.com
> >
> > [image: id:image001.png at 01D285E1.0101B2B0]
> > <http://www.proofpoint.com/>
> >
> > threat protection l compliance l archiving & governance l secure
> > communication
> >
> > *From: *Emerging-sigs
> > <emerging-sigs-bounces at lists.emergingthreats.net>
> > on behalf of "elhijo at 0lim.net" <elhijo at 0lim.net>
> > *Date: *Wednesday, February 12, 2020 at 10:39 AM
> > *To: *"emerging-sigs at emergingthreats.net" <
> > emerging-sigs at emergingthreats.net>
> > *Subject: *Re: [Emerging-Sigs] KBot C2 Sig
> >
> > Hi,
> >
> > was trying to send you same issue through ET feedback webpage but I
> > get bad gateway error every time I submit my request.
> >
> > sid:2820288
> >
> > All alerts linked to i[1234]4.c.eset.com
> >
> > Cheers,
> >
> > David
> >
> >
> > February 12, 2020 4:30 PM, "Stuart Gonzalez" <stu at perchsecurity.com
> > <stu at perchsecurity.com?to=%22Stuart%20Gonzalez%22%20%3cstu at perchsecuri
> > ty.com%3e>>
> > wrote:
> >
> > Hi Team,
> >
> > Looking through this sig and wondering if the content match for “.
> eset.com”
> > should have been negated. I reviewed the references, as well as, other
> > malware repos for this malware and found no indication C2 traffic
> > destined for eset subdomains.
> >
> > alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN
> > Bolek/Kbot CnC Checkin"; flow:established,to_server; urilen:1;
> > content:"POST"; http_method;
> > pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps";
> > content:".eset.com"; http_host; isdataat:!1,relative;
> > http_header_names; content:"|0d 0a|Host|0d
> > 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:36; fast_pattern;
> > content:!"Accept"; content:!"Referer"; metadata: former_category
> > MALWARE; reference:md5,24a497e3993289168455f12d11f0430f;
> > reference:md5,2d7ce4c681bdbddf4ab2740f5fb589dc;
> > classtype:trojan-activity; sid:2820288; rev:5; metadata:created_at
> > 2016_05_20, updated_at 2020_02_11;)
> >
> > https://urldefense.com/v3/__https://securelist.com/kbot-sometimes-they
> > -come-back/96157/__;!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1y1
> > 2CK_FouJQmt08ftdr4SDG920g$
> > <https://urldefense.com/v3/__https:/securelist.com/kbot-sometimes-they
> > -come-back/96157/__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-m
> > JU6CqeIrxM0tSLw7aXLrZoBs2afswfOFXJM%24>
> >
> >
> > https://urldefense.com/v3/__https://www.virustotal.com/gui/file/406a4f
> > cb391cc8098d1a6578e2609c21f0f59ca2386f926e3438c57e4549c966/behavior/Vi
> > rusTotal*20Cuckoofork__;JQ!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfP
> > dWe1y12CK_FouJQmt08ftdr6T7X-Jmw$
> > <https://urldefense.com/v3/__https:/www.virustotal.com/gui/file/406a4f
> > cb391cc8098d1a6578e2609c21f0f59ca2386f926e3438c57e4549c966/behavior/Vi
> > rusTotal*20Cuckoofork__;JQ!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2L
> > mz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs0dE7LiA%24>
> >
> > [image: PERCH]
> > <https://urldefense.com/v3/__http:/perchsecurity.com__;!!ORgEfCBsr282F
> > w!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs0rDxOMx
> > %24>
> >
> > *Stuart Gonzalez* / Chief Bot Officer
> > stu at perchsecurity.com / 713.591.1602
> >
> > *PERCH*
> > perchsecurity.com
> > <https://urldefense.com/v3/__https:/perchsecurity.com__;!!ORgEfCBsr282
> > Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs-VGCy0
> > A%24>
> > | Perch Blog
> > <https://urldefense.com/v3/__http:/www.perchsecurity.com/blog__;!!ORgE
> > fCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2a
> > fs0ySdime%24>
> > | Product Support <help at perchsecurity.com> | SOC Operations
> > <soc at perchsecurity.com>
> >
> > [image: Twitter]
> > <
> https://urldefense.com/v3/__https:/twitter.com/perchsecurity__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs2F_T-3c%24
> >[image:
> > https://urldefense.com/v3/__https://s3.amazonaws.com/htmlsig-assets/sp
> > acer.gif**Aimage__;XVs!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1
> > y12CK_FouJQmt08ftdr5zN1Jcmg$ : LinkedIn]
> > <
> https://urldefense.com/v3/__https:/www.linkedin.com/company/perchsecurity/__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs08s1wqf%24
> >[image:
> > https://urldefense.com/v3/__https://s3.amazonaws.com/htmlsig-assets/sp
> > acer.gif**Aimage__;XVs!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1
> > y12CK_FouJQmt08ftdr5zN1Jcmg$ : Subscribe to our blog!]
> > <https://urldefense.com/v3/__https:/perchsecurity.com/perch-news/index
> > .xml__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tS
> > Lw7aXLrZoBs2afs_dNq7tG%24>
> >
> > This e-mail message may contain confidential or legally privileged
> > information and is intended only for the use of the intended
> recipient(s).
> > Any unauthorized disclosure, dissemination, distribution, copying or
> > the taking of any action in reliance on the information herein is
> prohibited.
> > E-mails are not secure and cannot be guaranteed to be error free as
> > they can be intercepted, amended, or contain viruses. Anyone who
> > communicates with us by e-mail is deemed to have accepted these risks.
> > Perch Security is not responsible for errors or omissions in this
> > message and denies any responsibility for any damage arising from the
> > use of e-mail. Any opinion and other statement contained in this
> > message and any attachment are solely those of the author and do not
> necessarily represent those of the company.
> >
> >
> >
> >
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at lists.emergingthreats.net
> > https://urldefense.com/v3/__https://lists.emergingthreats.net/mailman/
> > listinfo/emerging-sigs__;!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPd
> > We1y12CK_FouJQmt08ftdr7yQKk9XA$
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > https://urldefense.com/v3/__http://www.emergingthreats.net__;!!Mih3wA!
> > RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1y12CK_FouJQmt08ftdr5BxFEENg$
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://urldefense.com/v3/__http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200212/530b0bfa/attachment.html__;!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1y12CK_FouJQmt08ftdr5ED7Anxg$
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image001.png
> Type: image/png
> Size: 10808 bytes
> Desc: not available
> URL: <
> https://urldefense.com/v3/__http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200212/530b0bfa/attachment.png__;!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1y12CK_FouJQmt08ftdr6PTUzoPg$
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
>
> https://urldefense.com/v3/__https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs__;!!Mih3wA!RCQxHm5IlqlZaHeccUQ7o0TesJWUTF0oDfPdWe1y12CK_FouJQmt08ftdr7yQKk9XA$
>
>
> ------------------------------
>
> End of Emerging-sigs Digest, Vol 147, Issue 19
> **********************************************
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200214/e3d476b3/attachment-0001.html>


More information about the Emerging-sigs mailing list