[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] Upatre change
From: Steve Eskew <SEskew () jackhenry ! com>
Date: 2014-09-22 16:08:07
Message-ID: C80DBF0346540E41BD428EA39EFE4900A575F333 () MMOEX10MBS01 ! jhacorp ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
I think you may be correct. It looks like my sensor was having issues. Sorry for \
the distraction.
Regards,
Packet Sleuth
From: Darien Huss [mailto:dhuss@emergingthreats.net]
Sent: Monday, September 22, 2014 8:27 AM
To: Steve Eskew
Cc: Packet Sleuth; Emerging Sigs
Subject: Re: [Emerging-Sigs] Upatre change
NP, thanks! I haven't looked into this too deeply yet, but as far as I can tell this \
should be pretty well covered by these two sigs: 2018635, 2018394. Did you happen to \
see some traffic that we were missing with those two? The problem with covering \
Upatre via UA specific sigs is there are so many different UAs, and they seem to \
change occasionally. At first glance as well the snort version for this may need \
modified to work on off-HTTP ports (the reference MD5 did some GETs to TCP:17909). \
Regards, Darien
On Mon, Sep 22, 2014 at 8:49 AM, Steve Eskew \
<SEskew@jackhenry.com<mailto:SEskew@jackhenry.com>> wrote: Just saw an error in the \
first one. What I get for working late.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre \
Suspicious User-Agent (Installer) with IP Host"; flow:established,to_server; \
content:"User-Agent|3a20|Installer|0d0a|; nocase; http_header; pcre: \
"/^User\x2dAgent\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi"; \
reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity; \
sid:xxxxxx; rev:1;)
Packet Sleuth
From: emerging-sigs-bounces@lists.emergingthreats.net<mailto:emerging-sigs-bounces@lists.emergingthreats.net> \
[mailto:emerging-sigs-bounces@lists.emergingthreats.net<mailto:emerging-sigs-bounces@lists.emergingthreats.net>] \
On Behalf Of Darien Huss
Sent: Monday, September 22, 2014 7:33 AM
To: Packet Sleuth
Cc: Emerging Sigs
Subject: Re: [Emerging-Sigs] Upatre change
Thanks, we'll take a look at these and get them into QA!
Regards,
Darien
On Mon, Sep 22, 2014 at 8:28 AM, Packet Sleuth \
<p4ck37sleuth@gmail.com<mailto:p4ck37sleuth@gmail.com>> wrote: Attempted to send this \
late Friday, but it failed. Wanted to get it in. Haven't had time to test them yet. \
This is being reported as Upatre by some of the AV vendors when submitted to Virus \
Total.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre \
Suspicious User-Agent (Installer) with IP Host"; flow:established,to_server; \
content:"User-Agent|3a20|Installer|0d0a|; nocase; http_header; pcre: \
"/^User\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi"; \
reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity; \
sid:xxxxxx; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Upatre \
downloading purported Tar file"; flow:to_client,established; content: \
"Content-Type|3a20|application/x-tar|0d0a|; nocase; http_header; content: \
"Vary|3a20|"; nocase; http_header; pcre: \
"/Vary\x3a\x20(Accept-Encoding,)?User-Agent\r\n\r\n/Hi"; \
reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype: trojan-activity; \
sid:xxxxxx; rev:1;)
Regards,
Packet Sleuth
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net<mailto:Emerging-sigs@lists.emergingthreats.net>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreats.net
NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.
NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I \
think you may be correct. It looks like my sensor was having issues. \
Sorry for the distraction.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><br>
Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Packet \
Sleuth<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> \
Darien Huss [mailto:dhuss@emergingthreats.net] <br>
<b>Sent:</b> Monday, September 22, 2014 8:27 AM<br>
<b>To:</b> Steve Eskew<br>
<b>Cc:</b> Packet Sleuth; Emerging Sigs<br>
<b>Subject:</b> Re: [Emerging-Sigs] Upatre change<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">NP, thanks! I haven't looked into \
this too deeply yet, but as far as I can tell this should be pretty well covered by \
these two sigs: 2018635, 2018394. Did you happen to see some traffic that we were \
missing with those two? The problem with covering Upatre via UA specific sigs is \
there are so many different UAs, and they seem to change occasionally. At first \
glance as well the snort version for this may need modified to work on off-HTTP ports \
(the reference MD5 did some GETs to TCP:17909).<o:p></o:p></p>
</div>
<p class="MsoNormal">Regards,<br>
Darien<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Sep 22, 2014 at 8:49 AM, Steve Eskew <<a \
href="mailto:SEskew@jackhenry.com" target="_blank">SEskew@jackhenry.com</a>> \
wrote:<o:p></o:p></p> <blockquote style="border:none;border-left:solid #CCCCCC \
1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> <div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Just \
saw an error in the first one. What I get for working \
late.</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">alert tcp $HOME_NET any \
-> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre Suspicious User-Agent \
(Installer) with IP Host"; flow:established,to_server; \
content:"User-Agent|3a20|Installer|0d0a|; nocase; http_header; pcre: \
"/^User\x2dAgent\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi"; \
reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity; \
sid:xxxxxx; rev:1;)<o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Packet \
Sleuth<o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> \
</span><a href="mailto:emerging-sigs-bounces@lists.emergingthreats.net" \
target="_blank"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">emerging-sigs-bounces@lists.emergingthreats.net</span></a><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> \
[mailto:</span><a href="mailto:emerging-sigs-bounces@lists.emergingthreats.net" \
target="_blank"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">emerging-sigs-bounces@lists.emergingthreats.net</span></a><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">] \
<b>On Behalf Of </b>Darien Huss<br> <b>Sent:</b> Monday, September 22, 2014 7:33 \
AM<br> <b>To:</b> Packet Sleuth<br>
<b>Cc:</b> Emerging Sigs<br>
<b>Subject:</b> Re: [Emerging-Sigs] Upatre change</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
<div> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks, we'll take a look \
at these and get them into QA!<br> <br>
Regards,<br>
Darien<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
<div> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Mon, Sep 22, 2014 at \
8:28 AM, Packet Sleuth <<a href="mailto:p4ck37sleuth@gmail.com" \
target="_blank">p4ck37sleuth@gmail.com</a>> wrote:<o:p></o:p></p> <blockquote \
style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> <div>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Attempted to send this \
late Friday, but it failed. Wanted to get it in. Haven't had time to test \
them yet. This is being reported as Upatre by some of the AV vendors when \
submitted to Virus Total.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
</div> <div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">alert \
tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre \
Suspicious User-Agent (Installer) with IP Host"; flow:established,to_server; \
content:"User-Agent|3a20|Installer|0d0a|; nocase; http_header; pcre: \
"/^User\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi"; \
reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity; \
sid:xxxxxx; rev:1;)<o:p></o:p></p> </div>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
</div> <div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">alert \
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Upatre \
downloading purported Tar file"; flow:to_client,established; content: \
"Content-Type|3a20|application/x-tar|0d0a|; nocase; http_header; content: \
"Vary|3a20|"; nocase; http_header; pcre: \
"/Vary\x3a\x20(Accept-Encoding,)?User-Agent\r\n\r\n/Hi"; \
reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype: trojan-activity; \
sid:xxxxxx; rev:1;)<o:p></o:p></p> </div>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
</div> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Regards,<o:p></o:p></p> \
</div> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Packet \
Sleuth<o:p></o:p></p> </div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br>
_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" \
target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br> <a \
href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" target="_blank"> \
http://www.emergingthreats.net</a><o:p></o:p></p> </blockquote>
</div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
</div> </div>
</div>
</div>
<p>NOTICE: This electronic mail message and any files transmitted with it are \
intended<br> exclusively for the individual or entity to which it is addressed. The \
message, <br> together with any attachment, may contain confidential and/or \
privileged information.<br> Any unauthorized review, use, printing, saving, copying, \
disclosure or distribution <br>
is strictly prohibited. If you have received this message in error, please <br>
immediately advise the sender by reply email and delete all copies.<o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p>NOTICE: This electronic mail message and any files transmitted with it are \
intended<br> exclusively for the individual or entity to which it is addressed. The \
message, <br> together with any attachment, may contain confidential and/or \
privileged information.<br> Any unauthorized review, use, printing, saving, copying, \
disclosure or distribution <br> is strictly prohibited. If you have received this \
message in error, please <br> immediately advise the sender by reply email and delete \
all copies.</p></body> </html>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
--===============1137987040537277976==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic