Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Neutrino EK initial landing on a DGA host

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 4 Jun 2013 18:28:39 -0400
Nathan,

Do you happen to have a pcap of this?  I think we already catch this, and if so, we'll open the rules, but I wanted to 
check if you have the data.

J

On Jun 4, 2013, at 3:44 PM, Community Proposed <lists () packetmail net> wrote:


We picked up a hostile Neutrino EK initial landing on a DGA host, it's 24-byte
a-f leading child domain.  pDNS shows that the IPs in question have multiple
DGAs pointed to it -- feel free to validate.  I don't see payload but I'm not
100% with Neutrino like the other EKs.

   IP - 37.59.151.254
   IP - 178.238.230.173
   IP - 178.32.176.219

RegEx for match (WebWasher/WebGateway format):

    regex((?-i)http:\/\/[a-f0-9]{24}\.[^\.]+\.[a-z]{2,4}[\x2f\x3a][^\r\n]+$   
Nathan Fowler, Jun 04 2013, Neutrino Exploit Kit initial landing 24-byte DGA.

Snort Sig, might be crappy, double check me on distance/within.

      alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
Neutrino EK DGA requested over HTTP"; flow:established,to_server;
content:"Host|3a 20|"; http_header; 
content:"."; http_header; distance:24; within:1;
pcre:"/Host\x3a\x20[a-f0-9]{24}\.[^\.]+\.[a-z]{2,4}[\x3a\r\n]/H";
classtype:trojan-activity; sid:x; rev:1;)

Validation:
select distinct date_time, http_status, block_reason, user_name, url from
webwasher_full where day>='2013-05-01' and url rlike
'http:\\/\\/[a-f0-9]{24}\\.[^\\.]+\\.[a-z]{2,4}[\\x2f\\x3a][^\\r\\n]+$' and
http_status <> '407'
[03/Jun/2013:12:21:30 -0600]    403    Malware found   
hxxp://73c96a6e5669cd1c04d935f8.homeftp.net:8000/abdmkligulifci?hash=f47467dbe2117272f25d0fd98b61ba5a&qlwrywrlrlev=358488
[03/Jun/2013:14:12:49 -0600]    403    Malware found   
hxxp://3a0be0574268a3bf2d7f1f35.homeftp.net:8000/axjop?hash=f47467dbe2117272f25d0fd98b61ba5a&qwkqusrhbm=358488
[03/Jun/2013:15:21:58 -0600]    403    Malware found   
hxxp://774f4fbced510393034e7fbc.homeftp.net:8000/arjmwhtocqhn?qksetrpgspud=5432189
[04/Jun/2013:10:32:49 -0600]    403    Malware found   
hxxp://88f3a91bf73b8534563ac260.homeftp.org:8000/atrvcb?hash=f47467dbe2117272f25d0fd98b61ba5a&qgdijbgx=358488
[31/May/2013:13:23:47 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/arhxxx?qlwgvb=403906
[31/May/2013:13:23:51 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/zbzs.js
[31/May/2013:13:23:51 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/atvxwt.css
[31/May/2013:13:23:51 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/qiqisdikou.css
[31/May/2013:13:23:51 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/markldprj.css
[31/May/2013:13:23:51 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/rxmdvvpn.js
[31/May/2013:13:23:52 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/vbiuchm.js
[31/May/2013:13:23:52 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/pyafhqozux.css
[31/May/2013:13:23:52 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/qkuybslfn.js
[31/May/2013:13:23:52 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/jtylljqzqlazgcht.js
[31/May/2013:13:23:52 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/mrdefsdfykv.js
[31/May/2013:13:23:52 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/bxobfcftotdnsd.js
[31/May/2013:13:23:52 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/oysnnyor.css
[31/May/2013:13:23:52 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/mciylzxclybrbil.js
[31/May/2013:13:23:52 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/zogaeoag.css
[31/May/2013:13:23:52 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/scripts/js/plg.js
[31/May/2013:13:23:53 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/aophawfn.jpg
[31/May/2013:13:23:53 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/wphqdnxibfa.gif
[31/May/2013:13:23:53 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/rvpdvnfglhyn.jpg
[31/May/2013:13:23:53 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/rzxvokmg.gif
[31/May/2013:13:23:53 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/kikmomrhbllpep.js
[31/May/2013:13:23:53 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/jbstoggf.jpg
[31/May/2013:13:23:53 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/uduzindnmojz.js
[31/May/2013:13:23:53 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/lxjmrf.css
[31/May/2013:13:23:54 -0600]    200    -   
hxxp://1732e11475aebfef554f6ed5.homelinux.org:8000/bzynxtkzmop
[30/May/2013:13:15:58 -0600]    403    Category Blocklist   
hxxp://1debaac13828d44b089f1928.here-for-more.info:8000/alpwptfr?qwhglf=403906
[29/May/2013:12:46:42 -0600]    200    -   
hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/akrlprngl?qxyyejxbjlb=403906
[29/May/2013:12:46:43 -0600]    200    -   
hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/gjdk.css
[29/May/2013:12:46:43 -0600]    200    -   
hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/ihvqulnxk.js
[29/May/2013:12:46:43 -0600]    200    -   
hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/szfnpiopydjzoi.css
[29/May/2013:12:46:43 -0600]    200    -   
hxxp://369da9acb3862aa33a1646c4.homelinux.com:8000/wwmlbfxah.css


------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: