Wednesday, June 11, 2014

snort rules - Pandemiya Trojan - Zeus-based Variant

 Earlier today a colleague (thanks Zuhair) made me aware of a new Zeus-based variant which was discovered. He sent me the following three links:
 
High-level Description
Detailed Technical Description

Symantec Assessment

 As a result I've developed and tested the following snort rules. I'm publishing them here in the hope that they can help someone. I will be implementing these and thought someone else may find them useful.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya Trojan - Zeus-based Variant - POST request"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent";nocase; content:"Hello|20|2|2E|0"; nocase;fast_pattern;content:"aWnBrokeQxPeKunljEDkm"; nocase; Priority:1;reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants,symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99&tabid=2 ;sid:4000001)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya Trojan - Zeus-based Variant - POST request"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent";nocase; content:"Hello|20|2|2E|0"; nocase;fast_pattern;content:"P4ND3M1CB00BF4C3"; nocase; Priority:1;reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants,symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99&tabid=2 ;sid:4000001)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya Trojan - Zeus-based Variant - GET request"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent";nocase; content:"Hello|20|2|2E|0"; nocase;fast_pattern;content:"aWnBrokeQxPeKunljEDkm"; nocase; Priority:1;reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants,symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99&tabid=2 ;sid:4000001)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya Trojan - Zeus-based Variant - GET request"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent";nocase; content:"Hello|20|2|2E|0"; nocase;fast_pattern;content:"P4ND3M1CB00BF4C3"; nocase; Priority:1;reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants,symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99&tabid=2 ;sid:4000001)


If anyone thinks these can be better modified,please feel free to drop me a line at nikalleyne at gmail dot com.

No comments:

Post a Comment