Hi there! First time ET-contributor/Snort-rules-writer. I’ve been diving into ViperSoftX after Avast’s report and did some research on my own tying domains in a DGA that I was monitoring to ViperSoftX. I catted through and didn’t see these domains in ET Open rules, so I tried my hand at writing them and tagged each domain with the report where it was first reported. The rules are here
Hey @tweedge! Glad you were able to share this, this is cool research. I"m really digging your summary/writeup as well. Awesome that you sinkholed some of the domains yourself, that’s always a fun effort!
within the past 30 days, my monitoring infrastructure has served over 900,000 HTTP requests and over 3 billion DNS queries, not including caching by public DNS resolvers. Many of the DGA domains I own rank in the top 20,000 domains globally, according to Cloudflare Radar - a horrifying statistic.
Thats crazy!
It looks like these rules are in Snort 2.9 format, I’ll get these rules added and converted over to Suri (as needed). Suri can optimized a bit by using the dns.query keyword for suricata. For Suri 5+ you can include subdomains of these domains by using the dotprefix transformation.
The rules should be released in tomorrow’s ruleset.
I’ll also take a look at the two samples you included in your VT Links section and see if I can get some signatures that will “live” a bit longer based on the DNS TXT records and HTTP communication methods.
I’ll keep this thread posted with anything else I find! Thanks again.
This is super cool stuff! Please keep me updated if you find new versions as they react to your sinkhole! We’d love to do some collaborative work!
I’ve got your DNS sigs going out today and I’ve been able to get an HTTP sig for the HTTP Dropper Beacon traffic. Keep an eye out in the release details today and you’ll see the SIDs and your handle in the shoutouts!
In-Progress Work
I wasn’t able to get a DNS sig out yet today, doesn’t look too hard, I just ran out of time before our release cutoff. I’ll get this queued for the first release when we come back from the holiday.
– Update –
Added some signatures for Base64 encoded Powershell commands. It does look like an existing rule, but default disabled due to performance impact (1), to detect C2 via TXT records does fire.
Future Work
There is actually a bit of POST traffic that is generated once the dropper is able to get and then run the powershell payload. It’s a bit more complex, but I might be able to get that.
References:
2013514 - ET MALWARE Potential DNS Command and Control via TXT queries
Very cool, thank you!! This was a very neat first contribution experience - and there was a little monitoring that I was running at home for these domains which broke shortly after my router updated its copy of ET’s rules. Whoops! Totally forgot that’d happen
In the future I’ll include both Suricata rules as well! Just to confirm, is this the preferred place to share rules, or is there another method that’s preferable? Wherever works best, I’ll be there!