alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MalDoc? Retrieving Malicious Payload (Possibly Ursnif)"; flow:established,to_server; content:".bin"; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:7,20; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:!"microsoft.com"; http_host; content:!"pdfcomplete.com"; http_host; content:!"mymitchell.com"; http_host; pcre:"/\.bin$/U"; metadata: former_category TROJAN; reference:md5,dbba37d4aec066a525f9cf3d9bdb27d8; classtype:trojan-activity; sid:2024420; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Microsoft_Word, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_23, performance_impact Moderate, updated_at 2017_11_22;)

Added 2017-11-22 18:59:06 UTC


Added 2017-11-22 18:57:56 UTC


Added 2017-11-22 18:56:05 UTC


Added 2017-11-22 18:55:32 UTC


Added 2017-11-22 18:41:16 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MalDoc? Retrieving Malicious Payload (Possibly Ursnif)"; flow:established,to_server; content:".bin"; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:7,20; content:"Accept|3a 20|*/*|0d 0a|"; http_header; pcre:"/\.bin$/U"; pcre:!"/^Host\x3a[^\r\n]+\.(?:microsoft\.com|pdfcomplete\.com|mymitchell\.com)\r?$/Hmi"; metadata: former_category TROJAN; reference:md5,dbba37d4aec066a525f9cf3d9bdb27d8; classtype:trojan-activity; sid:2024420; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Microsoft_Word, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_23, performance_impact Moderate, updated_at 2017_11_13;)

Added 2017-11-14 16:32:38 UTC

FP. PCRE negation does not work for pdfcomplete....................

PCAP from FP:

GET /patch/1002/2001/4005442026se.bin HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Wed, 08 Nov 2017 20:42:38 GMT Range: bytes=2612806-36176900 User-Agent: Microsoft BITS/7.5 Host: srv12.pdfcomplete.com

U.-N.......`!...Ly...O P....NLP.W.U..v."..I]......%..w.$.)...,c}....9M.u....a.:.=o..3.........3-N.".c.F....6...x.yEcy....I.....4 .$.6....|4^B....b.{..k...`Zsg.j./L5..%..5...k..z.FK".[....o.X..lo...j[.x*.....i%a.....[. ;....=G...j.....2 .;6m.E.?.^E.me.:3Q.<.c ^.. .c.S\.......#%R"......l..Tcfg.W...LU..........\..N.-W%;..Gv...;]s ....6q.3....6..k.........3.._../?.l}....>0.i&.P.D.ZNF......0)..$S..;wk.7/......duA....t....g.`.....s.......&!...=}....]...Ua..Z6..~.y.Cc...*....I..F.NG....n.$rz@ .c'u^...b...>.W..m..b..PN.7.U..3..Y.........b=.#...4.D9.R....;....H...". q:m[$....#?9.m.t{t.....H........S..K.|..k.:F...Y ...:.o.>@.n....?...+..[.y..g.'.C..Nv..u.....A.kX.S.g*U.~....'..f4Pa...q5...4.Mu.....D \..D...6.WO.KI@..|....2.i.+...}.....Z...<tlXH./&s]..k:..c>.F

-- MaksymParpaley - 2017-11-22

This appears to be due to either an unknown PCRE bug with the Suricata engine or an issue with the traffic (cannot be tested without a pcap). I've replaced the PCRE with separate content negations would should correct this issue and prevent further FPs on the pdfcomplete domain.

-- JamesEmeryCallcott - 2017-11-22


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MalDoc? Retrieving Malicious Payload (Possibly Ursnif)"; flow:established,to_server; content:".bin"; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:7,20; content:"Accept|3a 20|*/*|0d 0a|"; http_header; pcre:"/\.bin$/U"; pcre:!"/^Host\x3a[^\r\n]+\.(?:microsoft\.com|pdfcomplete\.com)\r?$/Hmi"; metadata: former_category TROJAN; reference:md5,dbba37d4aec066a525f9cf3d9bdb27d8; classtype:trojan-activity; sid:2024420; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Microsoft_Word, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_23, performance_impact Moderate, updated_at 2017_11_10;)

Added 2017-11-10 16:17:55 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MalDoc? Retrieving Malicious Payload (Possibly Ursnif)"; flow:established,to_server; content:".bin"; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:7,20; content:"Accept|3a 20|*/*|0d 0a|"; http_header; pcre:"/\.bin$/U"; pcre:!"/^Host\x3a[^\r\n]+\.microsoft\.com\r?$/Hmi"; metadata: former_category TROJAN; reference:md5,dbba37d4aec066a525f9cf3d9bdb27d8; classtype:trojan-activity; sid:2024420; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Microsoft_Word, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_23, performance_impact Moderate, updated_at 2017_07_12;)

Added 2017-08-07 21:19:47 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MalDoc? Retrieving Malicious Payload (Possibly Ursnif)"; flow:established,to_server; content:".bin"; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:7,20; content:"Accept|3a 20|*/*|0d 0a|"; http_header; pcre:"/\.bin$/U"; pcre:!"/^Host\x3a[^\r\n]+\.microsoft\.com\r?$/Hmi"; reference:md5,dbba37d4aec066a525f9cf3d9bdb27d8; classtype:trojan-activity; sid:2024420; rev:3;)

Added 2017-07-12 17:20:20 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MalDoc? Retrieving Malicious Payload (Possibly Ursnif)"; flow:established,to_server; content:".bin"; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:7,20; content:"Accept|3a 20|*/*|0d 0a|"; http_header; pcre:"/\.bin$/U"; reference:md5,dbba37d4aec066a525f9cf3d9bdb27d8; classtype:trojan-activity; sid:2024420; rev:2;)

Added 2017-06-23 17:07:38 UTC


Topic revision: r3 - 2017-11-22 - JamesEmeryCallcott
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats