Earlier today a colleague (thanks Zuhair) made me aware of a new Zeus-based variant which was discovered. He sent me the following three links:
High-level Description
High-level Description
Detailed Technical Description
Symantec Assessment
As a result I've developed and tested the following snort rules. I'm publishing them here in the hope that they can help someone. I will be implementing these and thought someone else may find them useful.
alert
tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya
Trojan - Zeus-based Variant - POST request"; flow:to_server,established;
content:"POST";
http_method; content:"User-Agent";nocase; content:"Hello|20|2|2E|0";
nocase;fast_pattern;content:"aWnBrokeQxPeKunljEDkm"; nocase;
Priority:1;reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants,symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99&tabid=2
;sid:4000001)
alert
tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya
Trojan - Zeus-based Variant - POST request"; flow:to_server,established;
content:"POST";
http_method; content:"User-Agent";nocase; content:"Hello|20|2|2E|0";
nocase;fast_pattern;content:"P4ND3M1CB00BF4C3"; nocase;
Priority:1;reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants,symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99&tabid=2
;sid:4000001)
alert
tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya
Trojan - Zeus-based Variant - GET request"; flow:to_server,established;
content:"GET";
http_method; content:"User-Agent";nocase; content:"Hello|20|2|2E|0";
nocase;fast_pattern;content:"aWnBrokeQxPeKunljEDkm"; nocase;
Priority:1;reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants,symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99&tabid=2
;sid:4000001)
alert
tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya
Trojan - Zeus-based Variant - GET request"; flow:to_server,established;
content:"GET";
http_method; content:"User-Agent";nocase; content:"Hello|20|2|2E|0";
nocase;fast_pattern;content:"P4ND3M1CB00BF4C3"; nocase;
Priority:1;reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants,symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99&tabid=2
;sid:4000001)
If anyone thinks these can be better modified,please feel free to drop me a line at nikalleyne at gmail dot com.
No comments:
Post a Comment