[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Dridex/Kryptik Pascal Library X-Mailer sig
From: Matthew Mickel <mmickel () sourcefire ! com>
Date: 2015-05-26 14:54:40
Message-ID: CAD_9SKt=9kHVzjE9xf6NomMTCm0qmAYBzp83hxqnTkBxD3xWpg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi, James-
Thanks for your submission. I'll put the rule through our regular testing
process and get back to you when it's finished. Best,
Matt Mickel
On Thu, May 21, 2015 at 1:33 PM, James Lay <jlay@slave-tothe-box.net> wrote:
> Saw a fair bit of malicious emails with:
>
> X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer
>
> set. These included this type of malicious link (brackets added):
>
>
> meows://www.google[.]com/url?q=meows%3A%2F%2Fcopy[.]com%2FBmlHcclqSfe7COabPactDgg%2F \
> Wire_%2520transfer411A.zip%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNHGxjvBdYV5kCQpDyaS4LSYSl1pOA
>
> These lead to badness:
>
>
> https://www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/
>
> https://www.hybrid-analysis.com/search?query=d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43+
>
> Below should catch this particular mailer:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Possible
> Malicious Email with Pascal TCP/IP library X-mailer";
> flow:to_server,established; content:"X-mailer|3a| Synapse - Pascal
> TCP|2f|IP library by Lukas Gebauer"; fast_pattern:only;
> classtype:bad-unknown; sid:10000160; rev:1;)
>
> James
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
[Attachment #5 (text/html)]
<div dir="ltr">Hi, James-<div><br></div><div>Thanks for your submission. I'll \
put the rule through our regular testing process and get back to you when it's \
finished. Best,</div><div><br></div><div>Matt Mickel</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, May 21, 2015 at 1:33 PM, \
James Lay <span dir="ltr"><<a href="mailto:jlay@slave-tothe-box.net" \
target="_blank">jlay@slave-tothe-box.net</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Saw a fair bit of malicious emails with:<br> <br>
X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer<br>
<br>
set. These included this type of malicious link (brackets added):<br>
<br>
meows://www.google[.]com/url?q=meows%3A%2F%2Fcopy[.]com%2FBmlHcclqSfe7COabPactDgg%2FWi \
re_%2520transfer411A.zip%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNHGxjvBdYV5kCQpDyaS4LSYSl1pOA<br>
<br>
These lead to badness:<br>
<br>
<a href="https://www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/" \
target="_blank">https://www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/</a><br>
<a href="https://www.hybrid-analysis.com/search?query=d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43+" \
target="_blank">https://www.hybrid-analysis.com/search?query=d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43+</a><br>
<br>
Below should catch this particular mailer:<br>
<br>
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Possible<br>
Malicious Email with Pascal TCP/IP library X-mailer";<br>
flow:to_server,established; content:"X-mailer|3a| Synapse - Pascal<br>
TCP|2f|IP library by Lukas Gebauer"; fast_pattern:only;<br>
classtype:bad-unknown; sid:10000160; rev:1;)<br>
<br>
James<br>
<br>
------------------------------------------------------------------------------<br>
One dashboard for servers and applications across Physical-Virtual-Cloud<br>
Widest out-of-the-box monitoring support with 50+ applications<br>
Performance metrics, stats and reports that give you Actionable Insights<br>
Deep dive visibility with transaction tracing using APM Insight.<br>
<a href="http://ad.doubleclick.net/ddm/clk/290420510;117567292;y" \
target="_blank">http://ad.doubleclick.net/ddm/clk/290420510;117567292;y</a><br> \
_______________________________________________<br> Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br> <a \
href="http://www.snort.org" target="_blank">http://www.snort.org</a><br> <br>
<br>
Please visit <a href="http://blog.snort.org" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br> \
</blockquote></div><br></div>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic