alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; content:!".avg.com|0d 0a|"; http_header; content:!"bitdefender.net|0d 0a|"; http_header; content:!"svc.iolo.com|0d 0a|"; http_header; content:!".lavasoft.com"; http_header; classtype:trojan-activity; sid:2011341; rev:13;)

Added 2017-04-10 17:27:57 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; content:!".avg.com|0d 0a|"; http_header; content:!"bitdefender.net|0d 0a|"; http_header; content:!"svc.iolo.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011341; rev:12;)

Added 2017-03-01 16:50:34 UTC

FP for legitimate antivirus software - Lavasoft http://www.lavasoft.com/

POST /v1/event-stat/?ProductID=IS&Type=BundleInstallComplete HTTP/1.1 Content-Type: application/json;charset=utf-8 Host: flow.lavasoft.com Content-Length: 39186 Expect: 100-continue

HTTP/1.1 100 Continue

################################### C:\\Windows\\system32\\.......exe" C:\\Windows\\system32\\ \\....exe"

...... ...... ..... ###################################

-- DenisI - 2017-04-10

Thanks, fixing this today!

-- DarienH - 2017-04-10


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; content:!".avg.com|0d 0a|"; http_header; content:!"bitdefender.net|0d 0a|"; http_header; classtype:trojan-activity; sid:2011341; rev:11;)

Added 2016-12-29 17:29:12 UTC

Hello. Today we met one more time FP for System Shield™ Antivirus Software developed by IOLO technologies, LLC

Reference to WEB site: http://www.iolo.com/products/system-shield/

Event description:

src_ip: 192.168.0.12, dst_ip: 216.246.89.93

src_port: 58111, dst_port: 80

Additional information for destination IP address 216.246.89.93 (FQDN svc.iolo.com)

https://www.threatcrowd.org/domain.php?domain=svc.iolo.com

We have no full PCAP unfortunately Partial PCAP:

normal C:\\Program Files\\Lenovo\\VIRTSCRL\TPKNRSVC.exe normal C:\\Program Files\\Common Files\\microsoft shared\\Microsoft Online Services\ioloServiceManager.exe ........... ........... ...........

Information about running services and they status sends to IOLO cloud service.

Taking into account that System Shield™ Antivirus is legitimate security application we ask you to consider rule modification to eliminate FP as for other AV in this rule

Best Regards, Thank you.

-- MaksymParpaley - 2017-02-28

Added negation for this rule. Change should go out on 3/1.

-- FrancisTrudeau - 2017-02-28


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; content:!".avg.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011341; rev:10;)

Added 2016-12-20 18:01:30 UTC

Please add an exception for BitDefender? Anti Virus software.

Several lines from the same PCAP (same flow):

Example:

POST /url/status HTTP/1.1 Host: elb-nvi-amz.nimbus.bitdefender.net User-Agent: BDNC v2.2.2.35971 Sep 22 2016 15:54:32 windows_amd64 Accept: / Connection: Keep-Alive Accept-Encoding: gzip,deflate X-Nimbus-UUID:........< cut data > X-Nimbus-ClientID:...........< cut data > Content-Type: application/octet-stream Content-Length: 63

http://autodiscover.duralogic.com/autodiscover/autodiscover.xml

HTTP/1.1 200 OK Content-Type: application/octet-stream Date: Thu, 22 Dec 2016 18:39:21 GMT x-nimbus-zone: nvi-amz X-Processing-Time: 2 Content-Length: 12 Connection: keep-alive

POST /karma/input HTTP/1.1 Host: elb-nvi-amz.nimbus.bitdefender.net User-Agent: BDNC v2.2.2.35971 Sep 22 2016 15:54:32 windows_amd64 Accept: / Connection: Keep-Alive Accept-Encoding: gzip,deflate X-Nimbus-UUID:......< cut data > X-Nimbus-ClientID: ......< cut data > Content-Type: application/json Content-Length: 693

{"method": "addJsonEvent", "id": 1, "params": {"common_fields": {"bdec_version": "3.0.3.906", "sensor_name": "com.bitdefender.avfree", "temp_device_id": "......< cut data >", "machine_architecture": "x64", "bd_locale": "UNKNOWN", "os_version": "10.0.14393", "os_type": "Windows", "bd_product_version": "1.0.4.28", "bd_user_hashed": "UNKNOWN", "ecam_version": "1.0.0.19", "bd_display_name": "Bitdefender Antivirus Free"}, "data": [{"event_name": "......< cut data >", "event_version": "1.0", "event_time": 1482432093476, "file_path": "C:\\Windows\\Temp\\......< cut data >", "process_name": "C:\\Program Files (x86)\\......< cut data >"}]}}

HTTP/1.1 200 OK Content-Type: application/json Date: Thu, 22 Dec 2016 18:41:05 GMT x-nimbus-zone: nvi-amz X-Processing-Time: 3 Content-Length: 45 Connection: keep-alive

{"id":1,"jsonrpc":"2.0","result":{"total":1}}

-- MaksymParpaley - 2016-12-26

adding content:!"bitdefender.net|0d 0a|"; http_header;

Thanks!

-- TravisGreen - 2016-12-29


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; classtype:trojan-activity; sid:2011341; rev:9;)

Added 2016-10-18 11:42:28 UTC

Please add an exception. Normal AVG antivirus behavior triggers this rule during sending scan report to the cloud (AVG Cloudcare service).

POST /v1/events.aspx?account_id=xxxxxxx&device_id=xxxxxxxxxx&event_type_id=xxxxxx HTTPP/1.1 Content-Type: application/json Host: reporting.cloudcare.avg.com Id: 1be5e10 Connection: Keep-Alive Content-Length: 749

{"scan_finished2":[{"event_time":1482211826,"scan_type_id":5,"finished_scan_state_id":2,"scan_id":855840742,"user_name":"SYSTEM","start_time":1482210000,"end_time":1482211826,"count_scanned":375624,"count_found_threats":2,"count_healed_threats":0,"count_actions":0,"scan_result":[{"threat_description":"Corrupted executable file","object_name":"C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Avg2015\\temp\\avg-a5404b65-00b9-465d-a0b5-cf4e9a895b59.tmp","orig_object_name":"C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Avg2015\\temp\\avg-a5404b65-00b9-465d-a0b5-cf4e9a895b59.tmp","threat_object_type_id":5,"threat_severity_id":3,"threat_state":2,"threat_type_id":0,"detection_time":1482211155,"threat_source_id":4}]}]}HTTP/1.1 201 Created Cache-Control: private Content-Type: text/html Date: Tue, 20 Dec 2016 05:30:28 GMT id: 1be5e10 Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Content-Length: 0 Connection: keep-alive

-- MaksymParpaley - 2016-12-20

Also please add one more exaction for System Shield® AntiVirus? and AntiSpyware? (iolo technologies, LLC) Unfortunately we have no full PCAP.

We see that destination host is - svc.iolo.com, ip address 216.246.89.93 Security software send running services report in form something like

C: 370 : 5c 5c 57 69 6e 64 6f 77 73 5c 5c 53 79 73 74 65 \\Windows\\Syste 380 : 6d 33 32 5c 5c 77 62 65 6d 5c 72 5c 6e 31 33 66 m32\\wbem\r\n13f 390 : 30 20 46 6f 72 74 69 45 53 4e 41 43 2e 65 78 65 0 FortiESNAC?.exe

-- MaksymParpaley - 2016-12-20


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; classtype:trojan-activity; sid:2011341; rev:9;)

Added 2016-10-18 11:42:27 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; classtype:trojan-activity; sid:2011341; rev:9;)

Added 2016-10-18 11:42:26 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; classtype:trojan-activity; sid:2011341; rev:9;)

Added 2016-10-18 11:39:22 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; classtype:trojan-activity; sid:2011341; rev:9;)

Added 2016-10-18 11:39:21 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; classtype:trojan-activity; sid:2011341; rev:9;)

Added 2016-10-18 11:39:20 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; classtype:trojan-activity; sid:2011341; rev:8;)

Added 2016-06-22 19:02:31 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; classtype:trojan-activity; sid:2011341; rev:8;)

Added 2016-06-22 19:00:09 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; classtype:trojan-activity; sid:2011341; rev:7;)

Added 2015-11-30 19:15:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious POST to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern:only; nocase; classtype:trojan-activity; sid:2011341; rev:5;)

Added 2011-10-12 19:31:49 UTC

Rule fails to detect hex values. Word Windows is enough to trigger the alert.

-- EimasGeimas - 2013-05-30


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious POST to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern:only; nocase; classtype:trojan-activity; sid:2011341; rev:5;)

Added 2011-02-04 17:31:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious POST to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"C|3A 5C 5C|WINDOWS|5C|"; nocase; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011341; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Suspicious; sid:2011341; rev:2;)

Added 2010-08-14 10:19:26 UTC


Topic revision: r9 - 2017-04-10 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats