[Emerging-Sigs] Kovter rule

Edward Fjellskål edwardfjellskaal at gmail.com
Wed Jun 1 16:56:08 EDT 2016

I wrote this with help from someone on the list here :)

I run it in prod and little FPs as it is now. Stille fires on the pcap
below, so Fix it/bend it to ET format :)

The rule is written based on looking at a bunch of different pcaps.
It can probably be optimized if someone reverse the malware and look at
how the binary traffic is setup.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NT TROJAN
Downloader/Malware/ClickFraud.Win32.Kovter Client CnC Traffic";
flow:established,to_server; dsize:4<>256; content:!"HTTP"; fast_pattern;
content:"|00 00 00|"; offset:1; depth:3;
pcre:"/^([\x21-\x26]|[\x70-\x79]|\x11|\x41|\x45)/R"; content:!"|00 00|";
distance:0; byte_jump:1,0,from_beginning,post_offset 3;
isdataat:!2,relative; pcre:!"/\x00$/";
metadata:author networktotal-ebf, dengine suricata-2.0, tlp white, type
crimeware, killchain c2, intrusionset none, enabled yes, date_created
2016-05-25, date_modified 2016-05-31; classtype:trojan-activity;
sid:XXX; rev:3;)


Also relevant blog:

More information about the Emerging-sigs mailing list