Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Kevin Ross <kevross33-gM/Ye1E23mwN+BqQ9rBEUg <at> public.gmane.org>
Subject: Re: SIG: ET TROJAN W32/Asprox.Bot Knock Variant CnC Beacon
Newsgroups: gmane.comp.security.ids.snort.emerging-sigs
Date: Tuesday 17th June 2014 08:05:43 UTC (over 3 years ago)
Additions (looking through the blurred out stuff). Anyway this is pretty
much Kuluoz except it looks like they have removed the hard coded string
for the UA and there is the stuff in the HTTP body. Anyway I have just
Suricata-fied it rather than doing all the depths and things for Snort the
now just to get sig out there :-)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
W32/Asprox.Bot Knock Variant CnC Beacon"; flow:established,to_server;
content:"POST"; http_method; pcre:"/^\x2F[A-F0-9]{20,}+$/U";
content:!"Referer"; http_header; content:""; fast_pattern;
http_client_body; depth:7; content:""; http_client_body; within:6;
content:""; http_client_body; distance:0; content:"";
http_client_body; distance:0; content:""; http_client_body;
distance:0;
pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})\r$/Hmi";
classtype:trojan-activity; reference:url,
www.fireeye.com/blog/technical/malware-research/2014/06/a-not-so-civic-duty-asprox-botnet-campaign-spreads-court-dates-and-malware.html;
sid:139991; rev:1;)

Kind Regards,
Kevin Ross


On 17 June 2014 08:58, Kevin Ross
 wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/Asprox.Bot Knock Variant CnC Beacon"; flow:established,to_server;
> content:"POST"; http_method; content:!"Referer"; http_header;
> content:""; http_client_body; depth:7; content:"";
> http_client_body; within:6; content:""; http_client_body;
> distance:0; content:""; http_client_body; distance:0;
> content:""; http_client_body; distance:0;
> pcre:"/^\x2F[A-F0-9]{20,}+$/U"; classtype:trojan-activity; reference:url,
>
www.fireeye.com/blog/technical/malware-research/2014/06/a-not-so-civic-duty-asprox-botnet-campaign-spreads-court-dates-and-malware.html;
> sid:139991; rev:1;)
>
 
CD: 3ms