[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] REMCOS detection on packet lengths. (+PCAPs)
From: attackdetectionteam <attackdetectionteam () gmail ! com>
Date: 2017-09-30 13:47:43
Message-ID: 39d0b8e1-e485-fd28-3043-5e7c21272ff1 () gmail ! com
[Download RAW message or body]
Update for detection sample -
https://www.hybrid-analysis.com/sample/108a5691c5777560bf25cb2b40f95f967c5c698699ffa4f97b37d1185cab10e6?environmentId=100
2 rules from new revision :
alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN
[PTsecurity] pkt checker 2"; flow:established, to_server; dsize:50<>101;
stream_size:server, <,35; stream_size:client, <,610; stream_size:server,
>,0; stream_size:client, >,30; flowbits:noalert; flowbits:isset,
FB180732_1; flowbits:unset,FB180732_1; flowbits:set,FB180732_2;
metadata: former_category TROJAN; classtype:trojan-activity;
sid:2024696; rev:2; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_09_11,
malware_family Remcos, performance_impact Significant, updated_at
2017_09_11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN
[PTsecurity] Backdoor.Win32/Remcos RAT connection"; flow:established,
to_server; dsize:81<>101; stream_size:server,<,70;
stream_size:client,<,696; stream_size:client,>,0;
stream_size:server,>,35; flowbits:isset,FB180732_3;
flowbits:unset,FB180732_3; threshold:type limit,track by_src,count 1,
seconds 30; metadata: former_category TROJAN;
reference:url,blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2;
classtype:trojan-activity; sid:2024698; rev:2; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_09_11,
malware_family Remcos, performance_impact Moderate, updated_at 2017_09_11;)
The complete set includes 5 rules linked flowbits.
New PCAP also add in dropbox link.
587eaac76348ac786a460b014cd05dc9bc2c99add19a2bcb6178e334c05dadaa.pcap.gz
Best regards,
-John.
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic