NetWitness Community

RSA Firstwatch are a team of analysts that are looking at emergent threats presented by new strains of malware.  The research into this activity produces new feeds of known C&C IPs, domains, APT exfiltration sites and many more.  We are also producing some nifty new rules to detect variants of botnet beaconing, bot checkins, known malicious useragent strings, and more.  These rules work great in our environment, which tends to be pure malware analysis.  But we think some of these rules will be helpful to you as well.  Use at your own risk, your mileage may vary.  If you get any hits on these rules, be sure to provide us feedback and let us know its effectiveness.  Or if you have any questions, let us know as well.

The biggest game in malware these days is still ad click fraud.  Yeah, it doesn't sound sexy, but drive-by downloads are still typically used, and affected endpoints represent weaknesses in your enterprise security.  Several of these rules address this, and if you see large volumes of hits against adware servers or see lots of adware bundlers, you should still investigate.

Each of the below alert into the Alert Key.  You could change this to alert to any key of your choice, such as the risk.warning key.

name="Malware Client Strings" rule="client='Trololo','installer','medialabssiteinstaller','autohotkey','tiny-dl/nix', 'dmfr', 'explorer', 'autoit', 'contype', 'user-agent: mozilla/5.0','testing', 'tiny-dl', 'rpcricheck','HardCore Software For : Public','MyLove', 'VIP_TRACKING', 'MyApp', 'hello','newbrandtest','stubinstaller','sefastsetup','ineturl/1.0','nsis_toolkitoffers','download','fucking','-','getright/6.5','windows installer','dianji-dnas/1.1'" order=89 alert=alert type=application

name="Kryptic Trojan" rule="alias.host=flbuysellrent.com, jatengtime.com, tokoyuki.com, www.agrariabroker.com.ar, ruyambayankuaforu.com" order=92 alert=alert type=application

name="Beaconing 22292" rule="service=0 && tcp.dstport=22292" order=93 alert=alert type=application

name="EsFury Worm" rule=alias.host\=www.buscaid.com,whos.amung.us order=95 alert=alert type=application

name="Apache Synapse Request" rule="client contains synapse" order=96 alert=alert type=application

name="Adware Bundler" rule="client begins 'Tightrope Bundle Manager'" order=97 alert=alert type=application

name="Jkoken Botnet" rule="alias.host=jkoken3s.com, isij2jsjhd.com," order=98 alert=alert type=application

name="Empty Directory Post" rule="action=put && filename='<none>' && directory='/'" order=99 alert=alert type=application

name=IPChecker rule="alias.host ends ipcheker.com" order=100 alert=alert type=application

name="PNG Botnet" rule="action = 'get' && extension=png, jpg && query exists" order=101 alert=alert type=application

name="Vundo Trojan" rule="alias.host=louqwesas.com, lozedlas.net, zeqsmmiwj3d.com" order=102 alert=alert type=application

name="PHP Beaconing W" rule="extension=php && query begins 'w=188'" order=103 alert=alert type=application

name="Zeus Checkin" rule="action=put && filename=login.php && referer = 'http://www.google.com'" order=104 alert=alert type=application

name="Strings Decode Download" rule=filename\=strings.txt order=105 alert=alert type=application

name="Put to WordPress Plugin Directory" rule="extension=php && action=put && directory begins '/wp-content/plugins/'" order=106 alert=alert type=application

name="UDP Botnet 16471" rule="service=0 && udp.dstport=16471" order=107 alert=alert type=application

name="Zeus Gate Checkin" rule="action=put && filename=gate.php" order=108 alert=alert type=application

name="PHP ini Checkin" rule="extension=php && query begins 'ini='" order=109 alert=alert type=application

name="PHP Put Botnet Long Query" rule="action=put && extension= php && query length 200-u" order=110 alert=alert type=application

name="Palevo Bot Checkin" rule="extension=php && client = 'explorer'" order=111 alert=alert type=application

name="Whuffug Bot Checkin" rule=filename\=whuffuq order=112 alert=alert type=application

name="PHP Put With 40x Error" rule="extension=php && action=put && error contains 40,50" order=113 alert=alert type=application

name="Wordpress Botnet Checkin" rule="extension=php && content = binary" order=114 alert=alert type=application

name="Suspicious Server Banners" rule="server='Oversee Turing v1.0.0'" order=115 alert=alert type=application

name="Zeus Get Checkin" rule="action=get && filename=login.php, posting.php && referer = 'http://www.google.com'" order=116 alert=alert type=application

name="XOR Download Direct from IP" rule="risk.suspicious = 'direct to ip http request' && risk.warning = 'xor encoded executable'" order=117 alert=alert type=application

name="Perl Installed on Host" rule="client contains pmcinit" order=118 alert=alert type=application

name="Pushdo Malware Checkin" rule="query begins 'ptrxcz_'" order=119 alert=alert type=application

name="ZBOT With Firefox" rule="browser='Firefox 3' && risk.warning begins xor" order=120 alert=alert type=application

name="Suspicious Code Signing" rule="alias.host='www.download.windowsupdate.com' && filename=authrootstl.cab, authrootseq.txt, 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5.crt, 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.crt" order=121 alert=alert type=application

name="DirectDownloader Trojan Helpers" rule="filename=directdownloaderinstaller.exe, optimizer.exe, playvolcano79048.exe, pricepeepinstaller.exe, gamesleap79048.exe" order=122 alert=alert type=application

name="Virus Login" rule="username contains virus" order=123 alert=alert type=application

name="Ghost Protocol and Xor Encoding" rule="risk.warning begins 'ghost','xor'" order=124 alert=alert type=application

name="UDP 16464 Beaconing" rule="service=0 && udp.dstport=16464" order=127 alert=alert type=application

name="Adware Client" rule="client begins 'downloadm'" order=129 alert=alert type=application

name="QQ Download Client" rule="client contains qq" order=130 alert=alert type=application

name="Chinese Malware Installer" rule="client begins agent" order=131 alert=alert type=application

name="Known Netwitness APT Hits" rule="threat.source=netwitness && threat.category=apt" order=132 alert=alert type=application

name="Known Threats from Research" rule="threat.desc begins unspecified, 'malicious c&c'" order=133 alert=alert type=application

name="Malicious UA strings Matches" rule="client=rlmultysocket, download, 'nsisdl/1.2', v32, ie, windows installer, 'wget 3.0', fortis, generichttp/ver_str_comma, '[mozilla firefox cool]', pipiplayer, nsis_inetload, 'industry update control', babylon, yzf, myurl, mozila, iexplorer 31,' ie 9.0', 'widgitoolbar-159-847320', tionline updater v59, 'stub installer v2.15', shockwave flash, myagent, microgaming install program, 'ineturl:/1.0', http client, get mp3, 'gbot/2.3', umbra, sefastsetup, safesheild, myclearsearch helper service, get torrent, dwplayer, chek, vbtagedit, 'toutatis x.x-x, tiehttp', techbridge application loader, 'scooter-3.2.ex', 'rookie/1.0', qvoddown, mxagent, 'microsoft internet explorer 6.0', lobo lunar, 'kuku v3.04 exp', 'ie 11.0 sp6', getfiles, elucid software downloader, askinstallchecker, 'adobe update manager 6','androiddevdet','setup factory','winhinet example/1.0','google page','our_agent','tiehttp','winhttpclient','utilmind httpget','microsoft-atl-native/8.00','report'" order=134 alert=alert type=application

name="Ad Server" rule="server='mochiweb/1.1 webmachine/1.9.2 (someone had painted it blue)','qs'" order=137 alert=alert type=application

name="Ad Delivery Servers" rule="alias.host=tap2-cdn.rubiconproject.com, ib.adnxs.com, delivery.bluefinmediaads.com, crux.mevio.com, delivery.serve.m80marketing.com, delivery.swid.switchads.com, nym1.ib.adnxs.com, ping.chartbeat.net, pixel.adsafeprotected.com, meviodisplayads.com, domdex.com, pixel.invitemedia.com, delivery.a.switchadhub.com, t.pointroll.com, tap-cdn.rubiconproject.com, gslbeacon.lijit.com, t4.liverail.com, r.openx.net, showads.pubmatic.com," order=138 alert=alert type=application

name="ZeroAccess Botnet" rule="tcp.dstport=16471 && payload exists" order=140 alert=alert type=application