[Community-sigs] new sig for Win.Worm.Njrat/Bladabindi

andreisaygo at live.ie andreisaygo at live.ie
Tue Dec 9 11:10:14 EST 2014


Thanks for finding that. 3,2 would work, but to be safe I suggest 3,3 :)

> Date: Tue, 9 Dec 2014 09:58:48 -0500
> From: dgoddard at sourcefire.com
> To: community-sigs at lists.clamav.net
> Subject: Re: [Community-sigs] new sig for Win.Worm.Njrat/Bladabindi
> 
> A colleague pointed out that this will alert on a file if it has '.ddns.net'
> multiple times, and that does not necessarily indicate that it is
> malicious. Could you revise the logic to rely on the other subsignatures?
> 
> Perhaps (0|1|2|3)>3,2 would work? Feel free to tune that second number
> depending on the samples. Here is the doc for that syntax:
> 
> A>X,Y: If the SUB-EXPRESSION A refers to a single signature then this
> signature must get matched more than X times; if it refers to a (logical)
> block of signatures then this block must generate more than X matches and
> at least Y different signatures must be matched.
> 
> Thanks!
> 
> On Mon, Dec 8, 2014 at 10:41 AM, Douglas Goddard <dgoddard at sourcefire.com>
> wrote:
> 
> > Added for FP check. Thank you!
> >
> > On Mon, Dec 8, 2014 at 7:50 AM, <andreisaygo at live.ie> wrote:
> >
> >> Signature:
> >>
> >> Win.Worm.Njrat;Target:1;(0|1|2|3|4)>3;0A06161F2E9D06171F749D06181F6D9D06191F709D06;2e00640064006e0073002e006e0065007400;2f006b002000700069006e00670020003000200026002000640065006c0020002200;6e00650074007300680020006600690072006500770061006c006c002000610064006400200061006c006c006f00770065006400700072006f006700720061006d00;2e006c006e006b0000??57005300630072006900700074002e005300680065006c006c00
> >>
> >> Hashes:
> >> MD5: 776d292d967e7dc6a3fb84cdb0e26017
> >> SHA1: a5771318e39c4bd281caee5fbfb3616ac2ac0cf5
> >> SHA256: fd2fe31018ee8f4a45402528b6e3c6bf481cc2ffb2f9465f6b0c84dcfaf16399
> >>
> >> PWStealer that can spread via USB drives.
> >> Sig0:
> >> Appends to a variable (LogsPath)  the ".tmp" string.
> >> Sig1:
> >> .ddns.net
> >> Sig2:
> >> /k ping.exe 0 del "
> >> Sig3:
> >> netsh firewall add allowed program
> >> Sig4:
> >> .lnk WScript.Shell
> >>
> >>
> >> Regards,
> >> Andrei Saygo
> >>
> >>
> >> _______________________________________________
> >> Community-sigs mailing list
> >> Community-sigs at lists.clamav.net
> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >>
> >> http://www.clamav.net/contact.html#ml
> >>
> >
> >
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> 
> http://www.clamav.net/contact.html#ml
 		 	   		  


More information about the Community-sigs mailing list