Authored By:
TomU @c_APT_ure

Description:
Detects an infected system from the ponmocup malware (with what I think is the most common basic indicator

Reports:
http://c-apt-ure.blogspot.com/2012/02/not-apt-but-nasty-malware-ponmocup.html
http://c-apt-ure.blogspot.com/2012/03/ponmocup-lots-changed-but-not-all.html
http://www9.dyndns-server.com:8080/pub/botnet-links.html
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html
http://www.threatexpert.com/report.aspx?md5=1098b041b743fa06e276eca074042b3d
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Ponmocup-A/detailed-analysis.aspx

Indicators:
OR
   AND
      Registry Path contains SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
      Registry Type is REG_BINARY
      OR
         Registry ValueName is 6
         Registry ValueName is 9

Download:
bcb504f2-8f2c-478d-9b25-042e8b952dc6.ioc

Authored By:
@LucasErratus

Description:
This malware is a variant of the Zeus Bot. Change the exe size range to make it fuzzy and detect exe files in the directory it gets dropped to (e.g. 100000 TO 200000). That will allow it to catch all versions and varients that still copy to that location.

Indicators:
OR
   DnsEntryItem/Host contains myapp-ups.com
   DnsEntryItem/Host contains analyticdns.com
   File PEInfo VersionInfoList VersionInfo OriginalFilename is Y2gtqjxmvounynm.exe
   File CertificateSubject is Tfrbpcs
   File PEInfo VersionInfoList VersionInfo Companyname is Walter Hintenaus
   File PEInfo VersionInfoList VersionInfo InternalName is Lodge Tuna Angel
   File PEInfo VersionInfoList VersionInfo ProductName is Loyal
   File PEInfo VersionInfoList VersionInfo FileDescription is Seth Achoo Xiv
   Process Handle Name contains -DED2-FBD9A76483EE}
   Process Handle Name contains -6CED-298D15DD51B5}
   Process Handle Name contains -2E3B-B788507ACFBF}
   Process Handle Name contains -377E-962C6878EE14}
   AND
      OR
         AND
            File Extension is exe
            OR
               File Size is [154192 TO 154192]
               File Compile Time is 2011-07-24T05:58:28Z
         AND
            File Extension is tmp
            File Size is 0
      OR
         AND
            File Full Path contains \Users\
            File Full Path contains \AppData\Roaming\
         AND
            File Full path contains \Application Data\
            File Full path contains Documents
            File Full path contains Settings

Download:
10ccb93f-970b-4f0a-8e0c-5772cdd90a20.ioc

Authored By:
Christopher Bentley – @cbentle2

Description:
IOC for Ramnit, Advanced Malware that has rookit capabilities, and has been seen to drop addtional malware on the infected host including spam engine.

Reports:
http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html#more
http://www.threatexpert.com/report.aspx?md5=e4633c77362e55dde5fdcda63f826c1b

Indicators:
OR
   Process StringList is \\.\631D2408D44C4f47AC647AB96987D4D5
   Process Handle Name is !IETld!Mutex
   DriverItem/StringList/string is    c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
   DriverItem/StringList/string is \Device\631D2408D44C4f47AC647AB96987D4D5
   Process StringList contains <%IDBOT%><%REMOTE={*}%><#{*} {*}#>ECHOADDSUBSETDATECONTENT POST
   DriverItem/StringList/string is 631D2408D44C4f47AC647AB96987D4D5
   AND
       Hook HookDescription is SystemCall
       Hook Hooking Module contains \LOCALS~1\Temp\
       Hook Hooked Module is ntoskrnl.exe
   AND
      Process StringList contains Micorsoft Windows Service
      Process StringList contains TANGrabber
      Process Name is services.exe
   AND
      Process arguments is not C:\WINDOWS\System32\svchost.exe -k netsvcs
      Process arguments is not C:\WINDOWS\System32\svchost -k rpcss
      Process arguments is not C:\WINDOWS\System32\svchost.exe -k LocalService
      Process arguments is not C:\WINDOWS\System32\svchost.exe -k NetworkService
      Process arguments is not C:\WINDOWS\System32\svchost -k DcomLaunch
      Process Name is svchost.exe
      Process arguments is not C:\WINDOWS\System32\svchost.exe -k imgsvc
   AND
      Process Name is svchost.exe
      OR
         Process StringList contains LOCALS~1\Temp\~TM4.tmp
         Process StringList is Hide Browser v1.1
         Process StringList is 220 220 RMNetwork FTP
         Process StringList is Ftp Grabber v1.0
         Process StringList is Virus Module v1.0 (exe, dll only)
         Process StringList is VNC Module v1.0 (Zeus Model)
         Process StringList is Byob Ernie Gild Lotto 2002-2006
         Process StringList is Reich.exe
         Process Handle Name contains CTF.Compart.MutexDefaultS-1-5-21
         Process Handle Name contains CTF.Layouts.MutexDefaultS-1-5-21
         Process Handle Name contains CTF.TMD.MutexDefaultS-1-5-21
         Process Handle Name contains CTF.TimListCache.FMPDefaultsS-1-5-21
         Process Handle Name contains CTF.Asm.MutexDefaultS-1-5-21
         Process Handle Name contains CTF.LBES.MutexDefaultS-1-5-21
         Process Handle Name contains \Start Menu\Programs\Startup
   AND
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clMailMessage.pas
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clSocket.pas
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clCertificate.pas
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clSspiTls.pas
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clTlsSocket.pas
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clSocks.pas
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clTcpClient.pas
      Process StringList is TModule_POPPeeper
      Process StringList is TModule_Eudora
      Process StringList is TModule_Gmail
      Process StringList is TModule_IncrediMail
      Process StringList is TModule_GroupMailFree
      Process StringList is TModule_VypressAuvis
      Process StringList is TModule_The_Bat
      Process StringList is TModule_Outlook0
      Process StringList is TOutlookIdentItem

Download:
5c03d9e7-c67c-45e8-aa2f-326bc5ddc76a.ioc

Authored By:
Christopher Bentley – @cbentle2

Description:
Generic indicator for the DUQU virus. Based on Stuxtnet

Reports:
http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet

Indicators:
OR
   File MD5 is 0a566b1616c8afeef214372b1a0580c7
   File MD5 is 0eecd17c6c215b358b7b872b74bfd800
   File MD5 is 4541e850a228eb69fd0f0e924624b245
   File MD5 is b4ac366e24204d821376653279cbad86
   File MD5 is e8d6b4dadb96ddb58775e6c85b10b6cc
   File MD5 is c9a31ea148232b201fe7cb7db5c75f5e
   File MD5 is f60968908f03372d586e71d87fe795cd
   File MD5 is 9749d38ae9b9ddd81b50aad679ee87ec
   File Name is cmi4432.pnf
   File Name is cmi4464.pnf
   File Name is netp191.PNF
   File Name is jiminet7.sys
   File Name is cmi4432.sys
   File Name is nfred965.sys
   File Name is nred961.sys
   File PEInfo ResourceInfoList ResourceInfo Name is 302
   Port Remote IP is 68.132.129.18
   Port Remote IP is 206.183.111.97
   Process StringList is kasperskychk.dyndns.org
   Port Remote IP is 77.241.93.160
   Service Name is JmiNET3
   Service Name is cmi4432
   Process Handle Name contains adp
   Process Handle Name contains ~DQ
   Process StringList is \DEVICE\Gdp1
   Service Path contains C:\Windows\System32\drivers
   AND
      Registry Path contains HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet       Settings\Zones\4\
      Registry Text contains CF1D
   AND
      EventLog source is DCOM
      EventLog ID is 32212354481
      EventLog type is Error
   OR
      Hook Hooked Module is ntdll.dll

IOC File:
5add2090-312b-4628-a4f8-c42d1ca7c2a9.ioc

Authored By:
Christopher Bentley – @cbentle2

Description:
Generic Indicator to identify Common commands not run from their default process path locations.
cmd.exe, csrss.exe, explorer.exe, lsass.exe,services.exe, spoolsv.exe, smss.exe, svchost.exe, winlogon.exe and ctfmon.exe

Indicators:
OR
   AND
       Process Name is explorer.exe
       Process path is not C:\WINDOWS\
   AND
       Process Name is cmd.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is lsass.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is services.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is csrss.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is spoolsrv.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is smss.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is svchost.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is winlogon.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is ctfmon.exe
       Process path is not C:\WINDOWS\system32

IOC File:
7fe9ed86-72f5-4444-b99e-72ae535154fa.ioc

Authored By:
Keith Gilbert – @digital4rensics

Description:
Finds common Morto infections and alerts on either the dropper, loader, or payload. Tested with success, no FPs. DNS & Process entries have not been verified.

Category:
Worm

Reports:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Worm%3AWin32%2FMorto.A

Indicators:
OR
   DnsEntryItem/RecordName contains qfsl.net
   DnsEntryItem/RecordName contains ms.jifr
   File Full Path contains Windows\Offline Web Pages\1.40_TestDdos
   File Full Path contains Windows\Offline Web Pages\cache.txt
   File Full Path contains Windows\clb.dll
   File Full Path contains Windows\clb.dll.bak
   AND
      Registry Path contains SYSTEM\WPA
      OR
         Registry ValueName is ie
         Registry ValueName is md
         Registry ValueName is sr
         Registry Value is Sens
         Registry Value is 6to4
         Registry ValueName is sn
   AND
      Registry Path contains SYSTEM\ControlSet001\Control\Windows
      Registry ValueName is NoPopUpsOnBoot
      Registry Text is 00000001
   AND
      Registry Path contains Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers
      Registry Value contains rundll32.exe=RUNASADMIN
   AND
      Process Name is svchost.exe
      Process StringList contains letmein
      Process Handle Name contains System32\Sens32.dll

IOC File:
326c3286-1a3c-403f-8e78-61f3ce1f3ab1.ioc

Authored By:
Christopher Bentley

Updated On: Feb. 6 2012

Description:
Banking Trojan discovered by Trusteer Shylock intercepts network traffic and attempts to add malicious code to it.

Category:
Trojan

Reports:
http://quequero.org/uicwiki/index.php?title=Shylock_via_%20volatility

Indicators:
OR
   Process StringList contains _SHUTDOWN
   Process StringList contains MASTER_
   Process StringList contains EVT_VNC
   Process StringList contains EVT_BACK
   Process StringList is extensadv.cc
   Process StringList is topbeat.cc
   Process StringList is brainsphere.cc
   Process StringList is commonworldme.cc
   Process StringList is gigacat.cc
   Process StringList is nw-serv.cc
   Process StringList contains IE_Hook::GetRequestInfo
   Process StringList contains FF_Hook::getRequestInfo
   Process StringList contains EX_Hook::CreateProcess
   Port Remote IP is 178.208.75.226
   Port Remote IP is 81.177.170.135
   Port Remote IP is 88.198.50.150
   Port Remote IP is 65.55.87.173
   Port Remote IP is 91.223.180.66
   Port Remote IP is 92.60.177.233
   Port Remote IP is 92.60.177.234
   Port Remote IP is 93.190.45.75
   Process StringList contains hijackdll.dll
   Process Handle Name contains MTX_
   Process StringList is FF::PR_WriteHook entry
   Process StringList is FF::PR_WriteHook exit
   Process StringList is HijackProcessAttach::*** MASTER *** MASTER *** MASTER *** %s PID=%u
   HijackProcessAttach::entry
   Process StringList is FF::BEFORE INJECT
   Process StringList is FF::AFTER INJECT
   Process StringList is IE::BEFORE INJECT
   Process StringList is IE::AFTER INJECT
   Process StringList is *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC    *** %s
   Process StringList is *** LOG INJECTS *** %s
   Process StringList is *** inject to process %s not allowed
   Process StringList is *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks ***    BackSocks *** BackSocks *** %s
   Process StringList is .?AVFF_Hook@@
   Process StringList is .?AVIE_Hook@@
   Process StringList contains Inject::InjectDllFromMemory
   Process StringList contains paragua-analyst.cc
   Process StringList contains BadSocks.dll

IOC File:
1623644e-7016-46ff-b302-07b7a75bfbe8.ioc

Authored By:
Keith Gilbert – @digital4rensics

Description:
Initial reporting credited to @diocyde – IOC should detect resident files & fully infected boxes.

Category:
Trojan

Reports:
http://md5.virscan.org/92410cc3a4f6e623478a4711fe3fcb7a
http://jsunpack.jeek.org/dec/go?report=0570e7ae0c3616bf52fcae74868c7f1fcf5202c7

Indicators:
OR
   File MD5 is 92410cc3a4f6e623478a4711fe3fcb7a
   File MD5 is 7a607567f727d56f76c45e11790202a9
   File Name is ATxBtCuy.exe
   File Full Path contains Temp\HIMYM.dll
   AND
      Registry Path contains CURRENTVERSION\Run
      Registry ValueName is Disker
   AND
      Process Name is rundll32.exe
      Process Handle Name contains HIMYM.DLL

IOC File:
4f252f75-08fe-4b4d-8637-1915fa46f519