[Emerging-Sigs] Proposed Base64 Encoded MZ

Nathan nathan at packetmail.net
Wed Feb 26 10:19:17 HST 2020


Likewise, thank you all for considering the rule.  Cheers!

On Wed, 26 Feb 2020 09:14:18 -0700
Jason Williams <jwilliams at emergingthreats.net> wrote:

> Hey Nathan!
> 
> You're right, we do have a few variants of this sort of activity, but
> I think this is another one that will get some more detections.
> 
> Thanks very much, we'll get this in QA for the release today
> 
> 
> On Wed, Feb 26, 2020 at 8:13 AM Nathan via Emerging-sigs <
> emerging-sigs at lists.emergingthreats.net> wrote:
> 
> > I was farting around with https://urlhaus.abuse.ch/url/319004/ and I
> > noticed
> > that in the ET ruleset there was limited coverage for a MZ being
> > shuffled across HTTP/HTTPS in a base64 encoded format.  Since
> > base64 encoded MZs on Pastebin is rather common I was a bit
> > surprised.  There is a similar ETPRO rule, however, it fixates on
> > MZ stuffing in certificates.
> >
> > May I respectfully propose the below, which is a superset of "ETPRO
> > TROJAN EXE
> > Disguised as Certificate" sid:2827736:
> >
> > alert http $EXTERNAL_NET any -> $HOME_NET any (
> > msg:"ET TROJAN EXE Base64 Encoded potential malware";
> > flow:established,from_server;
> > file_data;
> >
> > content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> > fast_pattern;
> > content:!"<html"; nocase;
> > content:!"<body"; nocase;
> > content:!"<script"; nocase;
> > reference:url,urlhaus.abuse.ch/url/319004/;
> > classtype:trojan-activity;
> > sid:X;
> > rev:1;
> > metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
> > attack_target Client_Endpoint, deployment Perimeter,
> > signature_severity Major,
> > created_at 2020_02_26, performance_impact Moderate;
> > )
> >
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at lists.emergingthreats.net
> > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > http://www.emergingthreats.net
> >
> >  



More information about the Emerging-sigs mailing list