[Community-sigs] new sig for Win.Worm.Njrat/Bladabindi

Douglas Goddard dgoddard at sourcefire.com
Tue Dec 9 09:58:48 EST 2014


A colleague pointed out that this will alert on a file if it has '.ddns.net'
multiple times, and that does not necessarily indicate that it is
malicious. Could you revise the logic to rely on the other subsignatures?

Perhaps (0|1|2|3)>3,2 would work? Feel free to tune that second number
depending on the samples. Here is the doc for that syntax:

A>X,Y: If the SUB-EXPRESSION A refers to a single signature then this
signature must get matched more than X times; if it refers to a (logical)
block of signatures then this block must generate more than X matches and
at least Y different signatures must be matched.

Thanks!

On Mon, Dec 8, 2014 at 10:41 AM, Douglas Goddard <dgoddard at sourcefire.com>
wrote:

> Added for FP check. Thank you!
>
> On Mon, Dec 8, 2014 at 7:50 AM, <andreisaygo at live.ie> wrote:
>
>> Signature:
>>
>> Win.Worm.Njrat;Target:1;(0|1|2|3|4)>3;0A06161F2E9D06171F749D06181F6D9D06191F709D06;2e00640064006e0073002e006e0065007400;2f006b002000700069006e00670020003000200026002000640065006c0020002200;6e00650074007300680020006600690072006500770061006c006c002000610064006400200061006c006c006f00770065006400700072006f006700720061006d00;2e006c006e006b0000??57005300630072006900700074002e005300680065006c006c00
>>
>> Hashes:
>> MD5: 776d292d967e7dc6a3fb84cdb0e26017
>> SHA1: a5771318e39c4bd281caee5fbfb3616ac2ac0cf5
>> SHA256: fd2fe31018ee8f4a45402528b6e3c6bf481cc2ffb2f9465f6b0c84dcfaf16399
>>
>> PWStealer that can spread via USB drives.
>> Sig0:
>> Appends to a variable (LogsPath)  the ".tmp" string.
>> Sig1:
>> .ddns.net
>> Sig2:
>> /k ping.exe 0 del "
>> Sig3:
>> netsh firewall add allowed program
>> Sig4:
>> .lnk WScript.Shell
>>
>>
>> Regards,
>> Andrei Saygo
>>
>>
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>



More information about the Community-sigs mailing list