[Emerging-Sigs] Proposed Base64 Encoded MZ

Jason Williams jwilliams at emergingthreats.net
Wed Feb 26 06:14:18 HST 2020


Hey Nathan!

You're right, we do have a few variants of this sort of activity, but I
think this is another one that will get some more detections.

Thanks very much, we'll get this in QA for the release today


On Wed, Feb 26, 2020 at 8:13 AM Nathan via Emerging-sigs <
emerging-sigs at lists.emergingthreats.net> wrote:

> I was farting around with https://urlhaus.abuse.ch/url/319004/ and I
> noticed
> that in the ET ruleset there was limited coverage for a MZ being shuffled
> across HTTP/HTTPS in a base64 encoded format.  Since base64 encoded MZs on
> Pastebin is rather common I was a bit surprised.  There is a similar ETPRO
> rule, however, it fixates on MZ stuffing in certificates.
>
> May I respectfully propose the below, which is a superset of "ETPRO TROJAN
> EXE
> Disguised as Certificate" sid:2827736:
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (
> msg:"ET TROJAN EXE Base64 Encoded potential malware";
> flow:established,from_server;
> file_data;
>
> content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> fast_pattern;
> content:!"<html"; nocase;
> content:!"<body"; nocase;
> content:!"<script"; nocase;
> reference:url,urlhaus.abuse.ch/url/319004/;
> classtype:trojan-activity;
> sid:X;
> rev:1;
> metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
> attack_target Client_Endpoint, deployment Perimeter, signature_severity
> Major,
> created_at 2020_02_26, performance_impact Moderate;
> )
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200226/8fe3afd9/attachment.html>


More information about the Emerging-sigs mailing list