25.10.2017

Сигнатуры обнаружения сетевой активности BadRabbit

Три сигнатуры на обнаруженную сетевую активность вредоносного ПО:

1. DNS запрос к домену 1dnscontrol.com

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"AM DNS Query for 1dnscontrol.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|1dnscontrol|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:3007646; rev:1;)

2. DNS запрос к группе доменов (We also found a DNS query to ACA807(x)ipt.aol[dot]com, in which the “##” is a two-digit hex number from 00-FF ACA807##.ipt.aol[dot]com.)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"AM DNS Query for ACA807##.ipt.aol.com - BadRabbit"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|ACA807";content:"|03|ipt|03|aol|03|com|00|"; fast_pattern; nocase; distance:2; pcre:"/\x08ACA807[0-9A-F]{2}\x03ipt\x03aol\x03com\x00/i"; classtype:bad-unknown; sid:3007647; rev:1;)

3. Сигнатура, реагирующая на загрузку flash_install.php)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AM TROJAN BadRabbit Flash Installer Download"; flow:established,to_server; content:"flash_install.php"; http_uri; content:"Host: 1dnscontrol.com|0d 0a|"; pcre:"/flash_install\.php$/U"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/badrabbit-ransomware-burrows-russia-ukraine/; classtype:trojan-activity; sid:3007648; rev:1;)

Рекомендуемые статьи